Re: Proposal: "private" execution mode from Eric Rescorla on 2013-11-28 (public-media-capture@w3.org from November 2013)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 28 Nov 2013 11:16:06 -0800
To: cowwoc <cowwoc@bbs.darktech.org>
Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <CABcZeBOdLKS8fOoQ5tVZBF=YqCurDh+QEL7REkvUqGDy4-3vKQ@mail.gmail.com>

On Thu, Nov 28, 2013 at 9:27 AM, cowwoc <cowwoc@bbs.darktech.org> wrote:
> Hi,
>
> I'd like to propose a high-level mechanism for dealing with fingerprinting
> risks. Borrowing from HTTP caching terminology, I propose declaring a new
> Javascript execution mode called "private". Code executed in "private" mode
> would be required to adhere to the following restrictions:
>
> Any written data would be marked as "private". Data marked as "private" may
> only be accessed under "private" mode. In other words, privacy is
> contagious.
> Sensitive methods that may be used to leak data outside the UA (e.g.
> outgoing network requests) MUST throw a permission denied error.
>
> Here is a concrete example of how this may be used:
>
> A user invokes getUserMedia(filter, onSuccess) where filter and onSuccess
> would be supplied by the user. The user invokes the function "normal" mode,
> but filter gets invoked in "private" mode. Here is a sample filter:
>
> function filter(candidateDevice)
> {
>   var resolutions = candidateDevice.getResolutions();
>   var idealResolution = {1280, 720};
>   return resolutions.indexOf(idealResolution)!=-1;
> }
>
> In the above function, candidateDevice is marked as "private" by the browser
> before passing it into the function. WebRTC would invoke onSuccess in
> "normal" mode, passing it the first device accepted by the filter. NOTE: the
> above definition of getUserMedia() is just an example and is not part of
> this proposal.
>
> There are many ways a browser could implement this proposal. It could mark
> data using a sticky "private" bit (as mentioned above). It could "validate"
> user functions before invoking them, and throw a permission denied error if
> they leak data. Any implementation that prevents "private" data from leaking
> is deemed to be compliant.
>
> While this discussion used the getUserMedia() as an example, I believe that
> this mechanism could be used to tackle fingerprinting risks across the
> entire WebRTC surface. Unlike other proposals, I believe it does so without
> compromising the usability of the WebRTC API and user interface.
>
> Let me know what you think.

I don't believe that it is practical to build a system which provides the
desired security properties because it is generally so hard to prevent
information leakage. (I note that you don't describe how the browser
would do so.)

As an example, let's say that there are a number of common resolution
sets and the attacker wishes to know whether the browser supports
each one. Now consider the following filter function:

R = [[1024, 768], [640, 480], ...];

function filter(candidateDevice) {
  mask = 0;

  var resolutions = candidateDevice.getResolutions();




}

Received on Thursday, 28 November 2013 19:17:14 UTC