- From: <bugzilla@jessica.w3.org>
- Date: Tue, 19 Aug 2014 22:16:50 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #39 from Ryan Sleevi <sleevi@google.com> --- (In reply to Joe Steele from comment #38) > Putting aside the dangers of CDMs running un-sandboxed code, I am not > convinced that this change would result in much better privacy. > > This would secure network communications against man-in-the-middle snooping > at the potential expense of usability on some browsers. But the information > would still be provided to the origin that requested it. > > From a practical point of view, getting you to visit my secure (but rogue) > domain is much easier than getting between you and a legitimate server > (secure or not). > > So if there were a "rogue" CDM that leaks an insecure permanent user > identifier -- it could still do that. > > I think having guidelines for what UAs should watch out for before agreeing > to include a potentially "rogue" CDM is a better approach. I think you're conflating two things. Allowed on an insecure origin, any MITM can themselves play as a rogue CDM. That is, even if you prompted and included a rogue CDM, network-level attackers (of which there are many, and increasing, as evidence shows) should not be able to infer or extract tracing data from it. I absolutely agree that an evil origin could collude with a rogue CDM to track the user. That's covered in the security properties. What isn't covered is the fact that any evil network can collude with a rogue CDM - or the fact that a "rogue CDM" is an abstract concept that it seems some are committed to declaring "out of scope", ergo by definition, "not rogue". -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Tuesday, 19 August 2014 22:16:52 UTC