W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2014

Re: CfC: only allow authenticated origins to call getUserMedia

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 8 Oct 2014 16:30:00 +0200
Message-ID: <CADnb78igsorJWgZ6EqmctuSkK+EEJWzw3Yjc_+E9R6gs_bRG6A@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, Chris Palmer <palmer@google.com>
Cc: Justin Uberti <juberti@google.com>, Stefan HÃ¥kansson LK <stefan.lk.hakansson@ericsson.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
On Wed, Oct 8, 2014 at 3:56 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> It is not generally true that *passive* network attackers will be able to
> watch or listen to users in real-time, even if gUM is used without an
> authenticated origin.

As Chris pointed out earlier, the difference between passive/active is
(becoming) marginal:

Given the low cost, the vast amounts of information that could be
collected in this way (even from normally authenticated but now
sslstripped spoofed resources), it seems very likely this would be

Received on Wednesday, 8 October 2014 14:30:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:30 UTC