[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS)

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #52 from David Dorwin <ddorwin@google.com> ---
(In reply to Henri Sivonen from comment #48)
Thanks for writing this.

There is another attack, which you mentioned in your discussion of #6. I think
we should consider it a separate attack:
7) A non-EME-using site (i.e. no reason to use protected media), ad network,
etc. uses EME to obtain a "permanent" identifier.


Below is a rough analysis of potential solutions to each of the attacks.

Avoiding #1 requires the ability for the user to clear the identifier provided
to the server. Many current DRM implementations do not support this.

Avoiding #2 requires providing different identifiers to each origin. Many, if
not most, current DRM implementations do not support this.

Avoiding #3 and #4 require effectively anonymizing the identifier each time it
is used and/or secure transport.

Avoiding #5 requires secure origin with mixed content enforcement or server
verification (i.e. whitelisting) by the CDM.

Avoiding #6 may require the mitigations for #5, the mitigations for #2 to make
it the same problem as #5, and/or user prompting to alert the user to the
inappropriate use of the EME APIs. Note that the prompting should be considered
ineffective in the presence of such an attacker when non-secure origins are
supported.

Avoiding #7 requires alerting the user (i.e. via a prompt), server
verification, and/or clearing such identifiers when other site data, such as
cookies, is cleared.


> Which ones of these attacks is this bug about defending against?

I think its good to discuss all of them somewhere. I believe this bug is mostly
about #3-#6.

> Which ones of these attacks are
> CDMs deployed in IE, Chrome and Safari currently vulnerable to? What about
> the CDM that Opera demoed for "devices"?

While all of those major browsers could potentially adequately address these
attacks, especially on the desktop, there will be many other user agents using
a variety of DRM implementations that do not do so. This is especially true of
platform-based DRM, which tends to rely on a permanent unique identifier.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 21 August 2014 20:57:11 UTC