[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-21 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 21 Aug 2014 22:48:39 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-OxCivGDvO0@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #63 from David Dorwin <ddorwin@google.com> ---
(In reply to Mark Watson from comment #59)
> I know. Let me take a step back. Attacks #1 and #2 are not mitigated by
> secure origin. Other mitigations as outlined in the privacy section need to
> be in place.
> 
> What I said was - assuming those mitigations are in place - then what's left
> of attacks #5 and #6 is no worse with EME than it is without EME.
> Specifically, I did not compare non-clearable identifiers to fingerprinting
> / local storage, I compared clearable, origin-specific, identifiers to those
> things.

Are you arguing for possible option 2 or 3 in comment #0 or that we should
normatively require the mitigations for attacks #1 and #2? The former still
requires that Netflix and others support HTTPS for some of their traffic. The
latter is not possible with many current DRM implementations (so you have the
same transition issue).

> It's being argued here that migration to HTTPS is trivial, low cost, and
> therefore a reasonable thing to expect people to do when migrating from
> plug-ins to EME, even though the technical rationale is weak / restricted to
> CDMs that do not follow the privacy / security mitigations in the document
> (but nevertheless somehow get themselves integrated into a UA).

One concern is that flexibility will be abused (i.e. some applications will
never support HTTPS, preventing user agents from ever enforcing it). A
corollary is that the web platform may be segmented or some user agents may be
forced to do the wrong thing if content providers do not support HTTPS. Maybe
there are [non-spec] options for avoiding this while slowly ramping up the
HTTPS traffic. However, as Ryan says, this is a diversion from the core issue.
It's really related to smoothing the transition once the core issue has been
resolved.
> 
> I'm disputing both that it is low-cost, particularly at scale, and that the
> mitigations in the document are insufficient.

Do you have a proposal for normative mitigation text? Maybe we should open a
separate bug for that.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 21 August 2014 22:48:41 UTC