[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-11-07 (public-html-bugzilla@w3.org from November 2014)

From: <bugzilla@jessica.w3.org>
Date: Fri, 07 Nov 2014 12:32:19 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-wyyVEg1zjD@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

--- Comment #132 from Henri Sivonen <hsivonen@hsivonen.fi> ---
(In reply to David Dorwin from comment #127)
> (In reply to Henri Sivonen from comment #123)

> Anne's proposal in comment #125 seems like a reasonable approach to avoid
> this.

Yes.

> > Also, restricting EME to https origins the way Chrome has restricted Web
> > Crypto to https origins—i.e. requiring the origin that calls the API to be
> > an https origin—is not good enough to address the concerns that Ryan raises
> > in https://twitter.com/sleevi_/status/526586427656507394 and in
> > https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#c114 . The MITM would
> > inject an https iframe into http pages such that the https iframe loads from
> > a MITM-controlled server that has a legitimately obtained certificate and
> > serves a JS app to talk with a MITM-controlled key server that sees the
> > identifier exposed by the key system. To make the DRM identifiers
> > unavailable to an active MITM (unless the MITM forges certificates), the
> > https-only restriction must apply to all origins in the whole chain of
> > browsing context from the browsing context using EME to the top-level
> > browsing context. In other words,
> > https://dvcs.w3.org/hg/html-media/rev/896eb33b68a2 does not actually address
> > the threats that Ryan has brought forward.
> 
> Do you have a proposal for how to modify the existing text to address this
> concern?

Bug 27271.

> Please file a bug to add normative text around identifiers. If it includes
> proposed text, even better.

Definition: bug 27268
Partitioning: bug 27269
Forgettability: bug 27270

> > If the spec further required the key system to encrypt messages such that
> > the identifier is only visible to the key server, in terms of the id
> > exposure, the result would be close (equivalent even?) to the https case (as
> > currently written without the requirement for the whole browsing context
> > path to the top-level to be https-only) as far as the threat of a key
> > server-operating active MITM who injects EME-using iframes that connect to
> > the MITM-operated key server goes.
> 
> You could file a bug for this too. I'm not sure what the normative text
> would look like.

Bug 27272.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Friday, 7 November 2014 12:32:22 UTC