Re: [HOME_NETWORK_TF] Security concerns around Home Networking APIs from Matt Hammond on 2011-04-18 (public-web-and-tv@w3.org from April 2011)

From: Matt Hammond <matt.hammond@rd.bbc.co.uk>
Date: Mon, 18 Apr 2011 14:46:46 +0100
To: "public-web-and-tv@w3.org" <public-web-and-tv@w3.org>, "Giuseppe Pascale" <giuseppep@opera.com>
Message-ID: <op.vt4y78kmmko9fo@r44116>

hi Guiseppe,

Apologies - I did not properly explain the difference:

I refer to a use case where, for example, the owner of the TV may wish to  
prevent other members of the household from using websites to remote  
control it unless he grants permission. In this circumstance, not only  
might the user of the website need to grant the website permission, but  
also a privileged user of the TV (or other device) may need to authorise  
it too.

With a pairing code approach, this can be achieved if only certain users  
can access the pairing setup part of the user interface on the device to  
be controlled.


regards


Matt

On Mon, 18 Apr 2011 14:41:52 +0100, Giuseppe Pascale <giuseppep@opera.com>  
wrote:

> On Mon, 18 Apr 2011 14:16:28 +0200, Matt Hammond  
> <matt.hammond@rd.bbc.co.uk> wrote:
>
>> Hi Giuseppe,
>>
>> Another class of security concern could be access by unauthorised users  
>> (via their personal devices). For example, a family may wish to prevent  
>> any website that the children view on their PCs or phones from being  
>> able to query and/or control other devices on the home network (such as  
>> the lounge TV) unless explicitly authorised to do so.
>>
> Agree, in my opinion this was listed under the first bullet of  
> "Malicious attacks"
> "An external server can control an HN device (e.g. send spam to your  
> printer)"
>
> /g
>> The pairing code mechanism you suggest is one possible way of achieving  
>> this.
>>
>> regards
>>
>>
>>
>> Matt
>>
>>
>> On Mon, 18 Apr 2011 13:06:34 +0100, Giuseppe Pascale  
>> <giuseppep@opera.com> wrote:
>>
>>> Hi all,
>>> we have discussed in several places (workshop, this mailing list, etc)  
>>> how important it is to address privacy and security concerns around   
>>> Home Networking Technologies.
>>>
>>> In order to trigger some discussion, I started a new document about  
>>> Security.
>>> The idea behind this document is to collect all reasonable concerns  
>>> and a list of possible solutions.
>>> I don't think is in the scope for this TF to decide on one solution,  
>>> but I think would be valuable if this group could come up with an  
>>> analysis and a list of suggestion for a WG to work on.
>>>
>>> The document is as usual available on the wiki
>>>   http://www.w3.org/2011/webtv/wiki/HNTF/Home_Network_TF_Discussions/Security
>>>
>>> I'm sure there are more things that can be written, so feel free to  
>>> comment on it and propose extensions or corrections to it.
>>>
>>>
>>> /g
>>
>>
>
>


-- 
| Matt Hammond
| Research Engineer, BBC R&D, Centre House, London
| http://www.bbc.co.uk/rd/

Received on Monday, 18 April 2011 13:47:37 UTC