W3C home > Mailing lists > Public > public-media-capture@w3.org > September 2014

Re: getUserMedia() and authenticated origins

From: Shwetank Dixit <shwetankd@opera.com>
Date: Wed, 10 Sep 2014 19:02:09 +0530
Message-ID: <CAERMemfPQvBVo68n99P=O9Fcks-qu4seiGTc9yBDEqCU-cvGbA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>, Anne van Kesteren <annevk@annevk.nl>, "public-media-capture@w3.org" <public-media-capture@w3.org>
>There seem to be lots of uses of gUM that don't necessarily require
crypto any more than (say) file uploads.

To add to the point, someone can make an app using gUM without even
involving any other part of WebRTC (like peerconnection or datachannels)
... so, a gUM app doesn't always have to be about *communication*.
 Considering such cases, I think it's fair to allow it to be using http.


On Wed, Sep 10, 2014 at 6:47 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, Sep 10, 2014 at 3:20 AM, Stefan Håkansson LK <
> stefan.lk.hakansson@ericsson.com> wrote:
>
>> On 10/09/14 11:29, Anne van Kesteren wrote:
>> > On Wed, Sep 10, 2014 at 11:08 AM, Stefan Håkansson LK
>> > <stefan.lk.hakansson@ericsson.com> wrote:
>> >> It is a long time ago, and I can't recollect all details on why we did
>> >> arrive on allowing http sites to access. I think it was a combination
>> of
>> >>
>> >> a) follow the geoLocation example
>> >> b) the expressed wish to allow for secure communication when the app is
>> >> from untrusted sites (using PeerIdentity) - these perhaps temporary
>> >> sites could deliver over http
>> >
>> > a) set a bad precedent. I don't think we considered the implications
>> > at the time. I don't understand how b) is feasible. How can you
>> > communicate securely if the piece of software you just got could have
>> > been manipulated by a third party?
>>
>> I think this is outlined in the documents I referred to, and if not
>> there are several presentations by Ekr in the IETF folders. Ekr or
>> Martin, you might want to step in here.
>
>
> Thanks for raising this, Anne.
>
> As Stefan says, this was discussed extensively and I believe I even
> suggested HTTPS-only on a slide somewhere and there wasn't really
> support for it. I believe the discussion happened in a meeting, not
> on a list, but it was clear enough that there wouldn't be consensus
> to change the default assumption. I don't remember this being
> primarily a question of test/demo pages as much as that there are
> lots of sites that aren't HTTPS and don't want to go HTTPS.
>
> There seem to be lots of uses of gUM that don't necessarily require
> crypto any more than (say) file uploads. For instance, uploading your
> picture to use as your avatar on a site. And since it's forbidden to
> have persistent permissions for HTTP, the risk is limited versus
> (say) geo.
>
> The situation is a bit more complicated with PC since we already require
> COMSEC. OTOH, the fact that we require DTLS means that even an
> HTTP attacker has to be an active attacker.
>
> -Ekr
>
>
> P.S. I think the question of WebRTC identity is kind of a red herring here.
> It's possibly to use Identity + Isolated Streams to build a
> system which doesn't require any trust at all in the site, but I would
> expect that any site which used these features would be security
> conscious and so would run HTTPS in any case.
>
>


-- 
Shwetank Dixit
Web Evangelist,
Web Standards Team,
Opera Software - www.opera.com
Received on Wednesday, 10 September 2014 13:32:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:30 UTC