On Wed, Oct 8, 2014 at 3:59 PM, Chris Palmer <palmer@google.com> wrote: > On Wed, Oct 8, 2014 at 3:04 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > I think perhaps you are misunderstanding the way that gUM works. > > gUM just provides the JS with a handle to a media stream. That media > > stream is not (by default) sent over the wire, but is just local to the > > users > > machine. So, the relevant question is how the Web application handles > > that stream. This is explained in detail in the rest of the message you > are > > quoting here. > > > > > http://lists.w3.org/Archives/Public/public-media-capture/2014Oct/0117.html > > As you note, the JavaScript could record and exfiltrate the media. > > If the JavaScript came from a source lacking authentication and > integrity protection, there is no reason for users to believe that the > JavaScript is honest and does what the user expects or desires. Nor is > there any way for users to attribute bad behavior to any particular > web origin, if an authenticate origin abused the user's trust. > Yes, this is the difference between an active and a passive attack, which is the context that you elided in your response here. See below and note the asterisks which are intended to call your attention to the word "passive". "On Wed, Oct 8, 2014 at 2:45 PM, Chris Palmer <palmer@google.com> wrote: [...] > On Wed, Oct 8, 2014 at 9:04 AM, Eric Rescorla <ekr@rtfm.com> wrote: > It is not generally true that *passive* network attackers will be able to > watch or listen to users in real-time, even if gUM is used without an > authenticated origin. I think you mean that purely passive attackers cannot always choose their target. Obviously you know that they can watch and listen to at least some target users' media, unless gUM uses secure transport." -Ekr
Received on Wednesday, 8 October 2014 23:07:37 UTC