[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS)

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #41 from Joe Steele <steele@adobe.com> ---
(In reply to Ryan Sleevi from comment #39)
> (In reply to Joe Steele from comment #38)
> > Putting aside the dangers of CDMs running un-sandboxed code, I am not
> > convinced that this change would result in much better privacy. 
> > 
> > This would secure network communications against man-in-the-middle snooping
> > at the potential expense of usability on some browsers. But the information
> > would still be provided to the origin that requested it. 
> > 
> > From a practical point of view, getting you to visit my secure (but rogue)
> > domain is much easier than getting between you and a legitimate server
> > (secure or not). 
> > 
> > So if there were a "rogue" CDM that leaks an insecure permanent user
> > identifier -- it could still do that. 
> > 
> > I think having guidelines for what UAs should watch out for before agreeing
> > to include a potentially "rogue" CDM is a better approach.
> 
> I think you're conflating two things.

What are the two things you think I am conflating?

> 
> Allowed on an insecure origin, any MITM can themselves play as a rogue CDM.

I don't understand what you mean here. Are you talking about a MITM injecting
script into the application? (this is feasible) Or are you talking about a MITM
injecting a rogue CDM? (this is less feasible, but if we are stipulating an
untrustworthy UA anything is possible)

> That is, even if you prompted and included a rogue CDM, network-level
> attackers (of which there are many, and increasing, as evidence shows)
> should not be able to infer or extract tracing data from it.

My point is that we are better off asking UAs to prevent rogue CDMs than
requiring UAs to implement security half-measures against what they might do. 

> 
> I absolutely agree that an evil origin could collude with a rogue CDM to
> track the user. That's covered in the security properties. What isn't
> covered is the fact that any evil network can collude with a rogue CDM - or
> the fact that a "rogue CDM" is an abstract concept that it seems some are
> committed to declaring "out of scope", ergo by definition, "not rogue".

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 19 August 2014 22:35:16 UTC