RE: Screen capture from Travis Leithead on 2013-02-06 (public-media-capture@w3.org from February 2013)

From: Travis Leithead <travis.leithead@microsoft.com>
Date: Wed, 6 Feb 2013 21:15:52 +0000
To: Randell Jesup <randell-ietf@jesup.org>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <9768D477C67135458BF978A45BCF9B3853BCF772@TK5EX14MBXW602.wingroup.windeploy.ntde>

> From: Randell Jesup [mailto:randell-ietf@jesup.org]
> 
> On 1/31/2013 5:06 PM, Harald Alvestrand wrote:
> > On 01/31/2013 11:00 PM, Martin Thomson wrote:
> >> Actually, I got some really good feedback on this feature in a
> >> discussion last night.  The security concerns over giving access to a
> >> screen capture are pretty serious.  There is a very good reason that
> >> applications are prevented from sampling any part of the page that are
> >> not from the same origin.  Screen capture would circumvent that.  It
> >> may be that a simple user confirmation/permission question is
> >> insufficient to convince some people that capture is safe to permit
> >> for this reason.
> >>
> >> It's actually very simple.  I load an iframe to your bank, using your
> >> login cookie, briefly display some highly sensitive resource, capture
> >> the screen, ???, profit.
> >>
> >> I knew this was a problem, but I didn't realize the strength of the
> >> reaction.
> >
> > It's exactly the same problem as a remote control interface like
> > PCAnywhere.
> > Many people find those creepy (and with some justification).
> 
> There's an unfortunate intersection between "tools that do things people
> really want/need" and "tools that can be used for evil".  :-(
> 
> Screen sharing (window, tab) is really useful.  It's in Hangouts, Vidyo,
> and many other such tools already.  Windows "Remote assistance"?
> Windows "Remote Desktop"?
> 
> It enables important use-cases (see above), like Help Desk functions,
> helping your computer-phobic parent untangle themselves, etc.
> 
> But the security concerns are real and in this case broader generally
> than the above (re Martin's example).  On the other hand, there's  a
> trust barrier aspect:  all the above existing uses require some trust (a
> lot more than this really) be granted the app.  Any sort of
> desktop/plugin install inherently gets more permission and more ability
> to snoop than Martin's example.
> 
> If you install Skype desktop, you've generally given it permission to do
> almost anything nasty from a privacy perspective.  Ironically on
> Windows/etc (but not Android - I hope!), you've given your solitaire
> program the same rights.

I would only add that the new Win8 App model (and likely other store-based app models) require apps to declare their desired capabilities a priori so you would know at purchase time that Solitare wouldn't be allowed to do [too much] nasty stuff. These contracts are enforced by the containers that these apps run inside of.

Received on Wednesday, 6 February 2013 21:16:59 UTC