- From: Eric Rescorla <ekr@rtfm.com>
- Date: Wed, 8 Oct 2014 06:56:24 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Justin Uberti <juberti@google.com>, Stefan HÃ¥kansson LK <stefan.lk.hakansson@ericsson.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
- Message-ID: <CABcZeBNCsr2vydxgu-Jem4pzk0bO7ezFfg4K_1i-3t8twpTEsg@mail.gmail.com>
On Wed, Oct 8, 2014 at 1:12 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Oct 7, 2014 at 8:00 PM, Justin Uberti <juberti@google.com> wrote: > > These are just some arbitrarily selected examples. The point is that > short > > term breakage would not be insignificant. > > There's ways to mitigate that. E.g. by phasing it out over some period > of time and clearly communicating this to developers. > > > > While I agree that we should encourage web developers to upgrade to > HTTPS, > > singling out WebRTC developers seems like the wrong way to go about this. > > 1) WebRTC developers are not being singled out. Authenticated origin > is used by service workers, the push API, background synchronization, > persistent notifications, crypto (in Chrome), autofilling of forms, > subresource integrity, and hopefully geolocation. There's probably > some that I'm missing here. > > 2) You are prioritizing developers over end users. I have a hard time > believing that even though end users gave their consent, they knew > they implicitly gave their consent that every passive/active network > attacker could listen to them and watch them in real time. It is not generally true that *passive* network attackers will be able to watch or listen to users in real-time, even if gUM is used without an authenticated origin. The reason for this is that gUM merely makes a media stream available to the JS, but doesn't send it anywhere other than the local machine. In order for the media stream to be transmitted over the network, it must either be: 1. Sent over connection established via PeerConnection. All of these are encrypted using an end-to-end key establishment mechanism that is intended to resist passive attackers. This is the way that all WebRTC calling and conferencing type apps work. 2. Recorded via the Recording API and then directly exfiltrated. This might or might not be over HTTPS Note that there are a number of applications (e.g., recording studio, 2-d bar code readers, etc.) that can be implemented purely on the user's computer without pushing any data to the server. -Ekr > > -- > https://annevankesteren.nl/ > >
Received on Wednesday, 8 October 2014 13:57:33 UTC