Re: CfC: only allow authenticated origins to call getUserMedia from Jan-Ivar Bruaroey on 2014-10-09 (public-media-capture@w3.org from October 2014)

From: Jan-Ivar Bruaroey <jib@mozilla.com>
Date: Thu, 09 Oct 2014 19:39:18 -0400
To: Shwetank Dixit <shwetankd@opera.com>
CC: Eric Rescorla <ekr@rtfm.com>, Anne van Kesteren <annevk@annevk.nl>, Justin Uberti <juberti@google.com>, Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <54371CA6.3070904@mozilla.com>

Yes, an injection attack can do either, so I'm not sure your example 
adds anything to the attack surface.

Except that a picture-taking http app that used your technique to send 
pictures to its server could be snooped on passively as well, so that 
does add something perhaps.

.: Jan-Ivar :.

On 10/9/14, 5:15 PM, Shwetank Dixit wrote:
> Isn't is possible for a Man in the middle attack to change to page so 
> that it regularly takes screenshots of the user video onto canvas 
> every few seconds, and sends that as a data URI regularly to some 
> other server?
>
> In this case you are not sending a stream anywhere, however you are 
> still performing pervasive monitoring by getting regular screengrabs 
> of the user video as a data URI.
>
> On Thu, Oct 9, 2014 at 3:29 PM, Jan-Ivar Bruaroey <jib@mozilla.com 
> <mailto:jib@mozilla.com>> wrote:
>
>     On 10/8/14, 9:56 AM, Eric Rescorla wrote:
>
>         It is not generally true that *passive* network attackers will
>         be able to watch
>         or listen to users in real-time, even if gUM is used without
>         an authenticated
>         origin. The reason for this is that gUM merely makes a media
>         stream
>         available to the JS, but doesn't send it anywhere other than
>         the local
>         machine. In order for the media stream to be transmitted over the
>         network, it must either be:
>
>         1. Sent over connection established via PeerConnection. All of
>         these are
>         encrypted using an end-to-end key establishment mechanism that is
>         intended to resist passive attackers. This is the way that all
>         WebRTC
>         calling and conferencing type apps work.
>
>         2. Recorded via the Recording API and then directly
>         exfiltrated. This
>         might or might not be over HTTPS
>
>         Note that there are a number of applications (e.g., recording
>         studio,
>         2-d bar code readers, etc.) that can be implemented purely on the
>         user's computer without pushing any data to the server.
>
>
>     This is an interesting point. If the recording API were to be
>     limited to authenticated origins, it means unauthenticated gUM is
>     effectively safe from *passive* attacks already.
>
>     OTOH, couldn't an *active* MitM script injection use
>     peerConnection to send user-prompted-and-granted camera+mic
>     securely to the attacker today?
>
>     .: Jan-Ivar :.
>
>
>
>
>
> -- 
> Shwetank Dixit
> Web Evangelist,
> Web Standards Team,
> Opera Software - www.opera.com <http://www.opera.com>

Received on Thursday, 9 October 2014 23:39:48 UTC