Isn't is possible for a Man in the middle attack to change to page so that it regularly takes screenshots of the user video onto canvas every few seconds, and sends that as a data URI regularly to some other server? In this case you are not sending a stream anywhere, however you are still performing pervasive monitoring by getting regular screengrabs of the user video as a data URI. On Thu, Oct 9, 2014 at 3:29 PM, Jan-Ivar Bruaroey <jib@mozilla.com> wrote: > On 10/8/14, 9:56 AM, Eric Rescorla wrote: > >> It is not generally true that *passive* network attackers will be able to >> watch >> or listen to users in real-time, even if gUM is used without an >> authenticated >> origin. The reason for this is that gUM merely makes a media stream >> available to the JS, but doesn't send it anywhere other than the local >> machine. In order for the media stream to be transmitted over the >> network, it must either be: >> >> 1. Sent over connection established via PeerConnection. All of these are >> encrypted using an end-to-end key establishment mechanism that is >> intended to resist passive attackers. This is the way that all WebRTC >> calling and conferencing type apps work. >> >> 2. Recorded via the Recording API and then directly exfiltrated. This >> might or might not be over HTTPS >> >> Note that there are a number of applications (e.g., recording studio, >> 2-d bar code readers, etc.) that can be implemented purely on the >> user's computer without pushing any data to the server. >> > > This is an interesting point. If the recording API were to be limited to > authenticated origins, it means unauthenticated gUM is effectively safe > from *passive* attacks already. > > OTOH, couldn't an *active* MitM script injection use peerConnection to > send user-prompted-and-granted camera+mic securely to the attacker today? > > .: Jan-Ivar :. > > > -- Shwetank Dixit Web Evangelist, Web Standards Team, Opera Software - www.opera.com
Received on Thursday, 9 October 2014 21:15:50 UTC