[Bug 27272] Normatively require distinctive identifiers to be encrypted on the Key System level when EME is not being restricted to secure origins only from bugzilla@jessica.w3.org on 2014-11-10 (public-html-bugzilla@w3.org from November 2014)

From: <bugzilla@jessica.w3.org>
Date: Mon, 10 Nov 2014 22:44:36 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-27272-2486-oyBVFrEINx@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27272

David Dorwin <ddorwin@google.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sleevi@google.com

--- Comment #3 from David Dorwin <ddorwin@google.com> ---
(In reply to Henri Sivonen from comment #0)
> When the use of EME is not restricted to secure origins only (including
> ancestors; bug 27271), distinctive identifiers can be exposed eavesdroppers,
> which is bad for privacy. To at least hide distinctive identifiers from
> passive eavesdroppers and from active attackers who don't have a key server
> at their disposal, I think the spec should require Key System-level
> encryption when the secure origin restriction is not being enforced.

I want to highlight that the original case makes a case for strongly
recommending (if not requiring) encryption even when requiring secure origins.
We might want to update the summary to cover that.

Note that "encryption" alone is not a sufficient requirement. The encryption
implementation must ensure that the ciphertext is not usable as a distinctive
identifier.
> 
> It is worth noting that Key System-level encryption is somewhat stronger
> requirement than an https requirement, because it does a bit more in terms
> of the budget/effort required for the attacker to become the recipient for
> whom data is encrypted. Obtaining an https certificate for an
> attacker-controlled domain is well within the capability of even very
> low-budget coffee shop attackers. Obtaining and operating key server
> requires more budget and effort.

Another/An additional mitigation of such an attack is for the user agent to
inform or warn users when such identifiers are exposed. User are unlikely to
allow access to an identifier related to media, especially from an unknown
domain, when browsing other sites. The warning is also a deterrent from
launching such attacks (at least on user agents that surface the request). See
bug 27165, though it is currently specific to unclearable identifiers.
> 
> On the other hand, https encryption is performed by the User Agent while Key
> System-level encryption is performed by the CDM. Thus, someone who treats
> the CDM as un-trusted is able to audit a User Agent to perform https
> encryption properly, but auditing the User Agent shows nothing about Key
> System-level encryption not having a covert channel disclosing data to
> eavesdroppers in addition to carrying data to the key server (i.e. some part
> of the random-looking supposedly encrypted data is actually something else).

This is one of the reasons enforcement of secure origins (bug 26332) is
important regardless of CDM/key system mitigations.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 10 November 2014 22:44:38 UTC