Re: CfC: only allow authenticated origins to call getUserMedia

On Wed, Oct 8, 2014 at 4:06 PM, Eric Rescorla <> wrote:

> Yes, this is the difference between an active and a passive attack, which
> is the context that you elided in your response here. See below and
> note the asterisks which are intended to call your attention to the
> word "passive".

The crux of the issue is that the user cannot know that only passive
attackers, and not active attackers, are in play against them.
Therefore they must assume that active attackers are in play. And
therefore that OE is insufficient as a defense.

Received on Thursday, 9 October 2014 00:37:42 UTC