Re: [mediacapture-main] Replace device enumeration API with API returning a secure widget from KOLANICH via GitHub on 2016-02-02 (public-media-capture-logs@w3.org from February 2016)

From: KOLANICH via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Feb 2016 20:21:23 +0000
To: public-media-capture-logs@w3.org
Message-ID: <issue_comment.created-178801648-1454444482-sysbot+gh@w3.org>

>Can you explain why this is dangerous?

Yes, I can. These can be used for fingerprinting, which can be 
dangerous for a user because it can be used to violate his privacy. 
Also information about environment can be useful for targeting 
exploits.

>The deviceId is opaque, per-origin and not persisted.

It IS persistent unless the user clears the identifiers. 

>Fingerprintable info is not available unless the website has 
permissions.

It is not a problem to socially engineer the user to give permissions.
 The example we see on Android platform: a user either gives a 
malicious app all the privileges it requires, or doesn't use the app 
at all. Or uses [xprivacy](https://github.com/M66B/XPrivacy/), which 
now seems to be abandoned and which doesn't solves all the issues. 
Marshmallow doesn't help because an app can detect that a user revoked
 the permissions and stop operation. Of course advanced solutions like
 xprivacy can also be detected, but it is a bit harder and not worth 
(for now) in most cases.


>So you not only want to remove the info from enumerateDevices, but 
also from the MediaStream once permissions have been granted!?

I want remove access to as much fingerprintable info as possible 
without respect to permissions. Permissions should only give access to
 data, and the leaks of another protected data (s.a. info about 
environment) should be eliminated. For example webcam resolution leak 
can be mitigated by resizing the picture to a standardized size 
(fortunately this can be done rather fast, but this also can be 
detectable by analysis of picture (but not so confident like in the 
way it is provided explicitly), so some measures should be taken in 
modifying the signals (see #312)).

>That is definitely not right. There is plenty of use cases requiring 
programmatic access to the device info.
Fingerprinting is one of them. If you think a bit you will understand 
there is not so many legit use cases for that (hardware/environment 
identification is considered as non-legit).

>Visually displaying the device label is only a very small one.
Secure widgets are suitable for this.

-- 
GitHub Notification of comment by KOLANICH
Please view or discuss this issue at 
https://github.com/w3c/mediacapture-main/issues/311#issuecomment-178801648
 using your GitHub account

Received on Tuesday, 2 February 2016 20:21:24 UTC