Re: getUserMedia() and authenticated origins from Eric Rescorla on 2014-09-10 (public-media-capture@w3.org from September 2014)

From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 10 Sep 2014 06:17:27 -0700
To: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <CABcZeBNQhb1zxf7P=c3=8cLmr7AGJgEaMw13kSx9+To1nqiCwQ@mail.gmail.com>

On Wed, Sep 10, 2014 at 3:20 AM, Stefan Håkansson LK <
stefan.lk.hakansson@ericsson.com> wrote:

> On 10/09/14 11:29, Anne van Kesteren wrote:
> > On Wed, Sep 10, 2014 at 11:08 AM, Stefan Håkansson LK
> > <stefan.lk.hakansson@ericsson.com> wrote:
> >> It is a long time ago, and I can't recollect all details on why we did
> >> arrive on allowing http sites to access. I think it was a combination of
> >>
> >> a) follow the geoLocation example
> >> b) the expressed wish to allow for secure communication when the app is
> >> from untrusted sites (using PeerIdentity) - these perhaps temporary
> >> sites could deliver over http
> >
> > a) set a bad precedent. I don't think we considered the implications
> > at the time. I don't understand how b) is feasible. How can you
> > communicate securely if the piece of software you just got could have
> > been manipulated by a third party?
>
> I think this is outlined in the documents I referred to, and if not
> there are several presentations by Ekr in the IETF folders. Ekr or
> Martin, you might want to step in here.

Thanks for raising this, Anne.

As Stefan says, this was discussed extensively and I believe I even
suggested HTTPS-only on a slide somewhere and there wasn't really
support for it. I believe the discussion happened in a meeting, not
on a list, but it was clear enough that there wouldn't be consensus
to change the default assumption. I don't remember this being
primarily a question of test/demo pages as much as that there are
lots of sites that aren't HTTPS and don't want to go HTTPS.

There seem to be lots of uses of gUM that don't necessarily require
crypto any more than (say) file uploads. For instance, uploading your
picture to use as your avatar on a site. And since it's forbidden to
have persistent permissions for HTTP, the risk is limited versus
(say) geo.

The situation is a bit more complicated with PC since we already require
COMSEC. OTOH, the fact that we require DTLS means that even an
HTTP attacker has to be an active attacker.

-Ekr

P.S. I think the question of WebRTC identity is kind of a red herring here.
It's possibly to use Identity + Isolated Streams to build a
system which doesn't require any trust at all in the site, but I would
expect that any site which used these features would be security
conscious and so would run HTTPS in any case.

Received on Wednesday, 10 September 2014 13:18:35 UTC