Re: CfC: only allow authenticated origins to call getUserMedia

TL;DR: We don't have time, user attention, or space to communicate
crypto nuance. Therefore we must quantize the security guarantee

Read on, if you care...

On Wed, Oct 8, 2014 at 9:04 AM, Eric Rescorla <> wrote:

> It is not generally true that *passive* network attackers will be able to
> watch or listen to users in real-time, even if gUM is used without an
> authenticated origin.

I think you mean that purely passive attackers cannot always choose
their target. Obviously you know that they can watch and listen to at
least some target users' media, unless gUM uses secure transport.

> As Adam Roach has observed on a separate thread, this not a position
> that has anything like consensus:

Is the proposition that because an intelligence analyst (a person
with, shall we say, a certain vested interest) says the NSA can't do
everything, we therefore don't need to worry about (e.g.)
Man-On-The-Side attacks?

"QUANTUMINSERT... Highly Successful"

But *forget about all of that*. Paranoia is a side-show, and we
shouldn't be distracted by it.

Even if the thinnest veneer of pseudo-encryption were good enough to
defeat the wealthiest, most powerful SIGINT attacker the world has
ever known, we'd still need actual, real security in a very wide
variety of web applications. Just every day basic safety. Even if only
because you don't need to be the NSA to deploy the Upside-Down-Ternet
or SSLStrip.

And since we get basically 1 chance to communicate 1 bit of
information about safety/security/confidentiality/privacy to users in
the browsers' security UI surfaces, I'd like that bit to be 1
("secure") in the *normal, every day* case, and for that 1 bit to, if
you will, "sign-extend". That is, I'd like to be able to say: "Dear
user, your session with is secure." Then, if by chance the
user asks more questions, I'd like to keep answering yes: Forward
secrecy? Modern ciphersuites and key sizes? Certificate issued in the
public log? No hits in the Safe Browsing database? My resource cache
is full of only resources that were loaded under similarly good
circumstances? And so on.

But I can't do that if the low-order bit is some quantum crap like 0.5
("opportunistic obfuscation"). Anything that distracts us from getting
that low-order bit to be a full and honest 1 is of negative value.

> In any case, my comments were directed towards having an accurate
> threat model, and regardless of the ease of active attack, it is not true
> that the risks of gUM are the same for active and passive attackers.
> I take it from your message that you agree with this point.

My threat model is, "People might not want to keep using the web if we
cannot unequivocally say we are providing them with the bare minimum
level of safety. Especially if we keep adding wonderful but also
potentially dangerous new features."

Received on Wednesday, 8 October 2014 21:46:23 UTC