Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Eric Rescorla on 2015-10-27 (public-media-capture@w3.org from October 2015)

From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 27 Oct 2015 06:42:31 -0400
To: Nick Doty <npdoty@w3.org>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mathieu Hofman <Mathieu.Hofman@citrix.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CABcZeBP0vPZT8KFtbr73nM6DDoPwnkmt63t0BXTMg7sOTy+Ufw@mail.gmail.com>

On Mon, Oct 26, 2015 at 8:21 PM, Nick Doty <npdoty@w3.org> wrote:

> I'm not sure the situations are analogous. Large web sites that handle
> credit card numbers or store personal information as part of their business
> are likely aware of the security implications, more than a website
> developer who once added a bit of JavaScript to take a user's picture.
>

And yet those sites routinely have breaches.



> Ongoing surreptitious access to camera and microphone on someone's device
> is potentially much more harmful to the user than access to her credit card
> number and an annoying call with her bank's anti-fraud division.
>

This seems to reflect a fairly rosy view of the severity of financial fraud.


What we're saying is that every XSS or related security bug you have in the
> future, in addition to having security implications for your site's
> business, will also expose every previous user of your site to video and
> audio surveillance. It's not, "using this API involves sensitive data, so
> audit to find security bugs when you're using it", but rather "if you ever
> used this, you have to commit to perfect security diligence in perpetuity."
>

Well, again, not in Firefox, because Firefox doesn't persist permissions by
default.



> At the least, I think Mathieu's suggestion about CSP might be useful in
> updating that section of the spec. We could give more specific
> recommendations about use of CSP and maybe user agents can take that signal
> into account when determining whether to grant a permission based on a
> prior granting.
>

I don't have a problem with recommending that people use CSP, but I don't
agree that
it makes sense to require browsers to take that into account, at least at
the time
of grant use for the reason I indicated previously.

-Ekr


> On Oct 24, 2015, at 1:12 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> On the other hand, it's the advice we give to sites which handle credit
> card numbers, e-mails, and other sensitive information. Generally, if
> you once have an XSS on your site, it's fairly hard to clean up later.
>
> -Ekr
>
> On Fri, Oct 23, 2015 at 9:01 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
>> On 23 October 2015 at 17:27, Nick Doty <npdoty@w3.org> wrote:
>> > The current advice in the specification is for site developers that use
>> the API not to have security vulnerabilities anywhere on their sites. That
>> doesn't seem like advice that can or will be followed.
>>
>> Yes, I agree that this sort of advice is foolish.
>>
>
>
>

Received on Tuesday, 27 October 2015 10:43:40 UTC