- From: <bugzilla@jessica.w3.org>
- Date: Fri, 07 Nov 2014 12:25:47 +0000
- To: public-html-media@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27272 Bug ID: 27272 Summary: Normatively require distinctive identifiers to be encrypted on the Key System level when EME is not being restricted to secure origins only Product: HTML WG Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Encrypted Media Extensions Assignee: adrianba@microsoft.com Reporter: hsivonen@hsivonen.fi QA Contact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-media@w3.org Depends on: 27268 When the use of EME is not restricted to secure origins only (including ancestors; bug 27271), distinctive identifiers can be exposed eavesdroppers, which is bad for privacy. To at least hide distinctive identifiers from passive eavesdroppers and from active attackers who don't have a key server at their disposal, I think the spec should require Key System-level encryption when the secure origin restriction is not being enforced. It is worth noting that Key System-level encryption is somewhat stronger requirement than an https requirement, because it does a bit more in terms of the budget/effort required for the attacker to become the recipient for whom data is encrypted. Obtaining an https certificate for an attacker-controlled domain is well within the capability of even very low-budget coffee shop attackers. Obtaining and operating key server requires more budget and effort. On the other hand, https encryption is performed by the User Agent while Key System-level encryption is performed by the CDM. Thus, someone who treats the CDM as un-trusted is able to audit a User Agent to perform https encryption properly, but auditing the User Agent shows nothing about Key System-level encryption not having a covert channel disclosing data to eavesdroppers in addition to carrying data to the key server (i.e. some part of the random-looking supposedly encrypted data is actually something else). I am not proposing a User Agent-level encryption wrapper for Key System messages, because it seems like an overkill to design such a thing in the interim (assuming that we'll get https eventually) and because designing such a system to use existing https PKI poses the problem that the browser doesn't know where the EME messages are going, so the browser couldn't figure out what to validate as a Common Name. (And a Key System-specific PKI is best handled by the Key System instead of making the User Agent aware of Key System-specific PKI.) Note that the key server still gets to see the distinctive identifier(s). Bug 27269 makes the distinctive identifiers useless for tracking across sites and bug 27270 user-electively mitigates tracking across time on a given site by enabling point-wise discontinuities. (Start proposed spec text for a *normative* section) In the presence of distinctive identifiers in a Key System and in the absence of the User Agent restricting the use of the Key System (or the APIs defined in this specification as a whole) to secure origins, the distinctive identifiers that occur in Key System messages MUST be encrypted on the Key System-layer. Such Key System-level encryption is RECOMMENDED even when the Key System is restricted to secure origins only. Note: This means, among other things, that signatures made with or certificates relating to device-specific or user-specific keys MUST be encrypted for the key server and encrypted messages from the key server to the CDM MUST NOT show recipient-unique ids (such as the id of the intended decryption key) on the outside of the encryption envelope. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Friday, 7 November 2014 12:25:49 UTC