- From: Shwetank Dixit <shwetankd@opera.com>
- Date: Wed, 8 Oct 2014 11:15:34 +0200
- To: "public-media-capture@w3.org" <public-media-capture@w3.org>
- Message-ID: <CAERMemf1QrhVaV0BG3Gwg1cQtw-4bOOMqR6fCTSH9xANTiUtbw@mail.gmail.com>
Though I was initially against it, I have come to support the HTTPS policy and I am OK with it. The reason being that gUM is one of the most sensitive areas, and a man in the middle attack on it could cause a lot more harm than other APIs. As Anne says, we would have to place end-users above developers here, even at the cost of some discomfort to developers. I myself don't like the fact that I'll have to buy and install SSLs for this (disregarding cloudfare and github hosting for a moment, which provide https support for free), but considering so many other APIS going HTTPS only, and the fact that the end users benefit and privacy is much more important, I'll have to support this change request. So its a +1 from me. If there is somehow a way to prevent MITM attacks without using SSL, then I would be open to reconsider. On Wed, Oct 8, 2014 at 10:12 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Oct 7, 2014 at 8:00 PM, Justin Uberti <juberti@google.com> wrote: > > These are just some arbitrarily selected examples. The point is that > short > > term breakage would not be insignificant. > > There's ways to mitigate that. E.g. by phasing it out over some period > of time and clearly communicating this to developers. > > > > While I agree that we should encourage web developers to upgrade to > HTTPS, > > singling out WebRTC developers seems like the wrong way to go about this. > > 1) WebRTC developers are not being singled out. Authenticated origin > is used by service workers, the push API, background synchronization, > persistent notifications, crypto (in Chrome), autofilling of forms, > subresource integrity, and hopefully geolocation. There's probably > some that I'm missing here. > > 2) You are prioritizing developers over end users. I have a hard time > believing that even though end users gave their consent, they knew > they implicitly gave their consent that every passive/active network > attacker could listen to them and watch them in real time. > > > -- > https://annevankesteren.nl/ > > -- Shwetank Dixit Web Evangelist, Web Standards Team, Opera Software - www.opera.com
Received on Wednesday, 8 October 2014 09:16:25 UTC