Isn't is possible for a Man in the middle attack to change to page so that
it regularly takes screenshots of the user video onto canvas every few
seconds, and sends that as a data URI regularly to some other server?
In this case you are not sending a stream anywhere, however you are still
performing pervasive monitoring by getting regular screengrabs of the user
video as a data URI.
On Thu, Oct 9, 2014 at 3:29 PM, Jan-Ivar Bruaroey <jib@mozilla.com> wrote:
> On 10/8/14, 9:56 AM, Eric Rescorla wrote:
>
>> It is not generally true that *passive* network attackers will be able to
>> watch
>> or listen to users in real-time, even if gUM is used without an
>> authenticated
>> origin. The reason for this is that gUM merely makes a media stream
>> available to the JS, but doesn't send it anywhere other than the local
>> machine. In order for the media stream to be transmitted over the
>> network, it must either be:
>>
>> 1. Sent over connection established via PeerConnection. All of these are
>> encrypted using an end-to-end key establishment mechanism that is
>> intended to resist passive attackers. This is the way that all WebRTC
>> calling and conferencing type apps work.
>>
>> 2. Recorded via the Recording API and then directly exfiltrated. This
>> might or might not be over HTTPS
>>
>> Note that there are a number of applications (e.g., recording studio,
>> 2-d bar code readers, etc.) that can be implemented purely on the
>> user's computer without pushing any data to the server.
>>
>
> This is an interesting point. If the recording API were to be limited to
> authenticated origins, it means unauthenticated gUM is effectively safe
> from *passive* attacks already.
>
> OTOH, couldn't an *active* MitM script injection use peerConnection to
> send user-prompted-and-granted camera+mic securely to the attacker today?
>
> .: Jan-Ivar :.
>
>
>
--
Shwetank Dixit
Web Evangelist,
Web Standards Team,
Opera Software - www.opera.com