- From: Tom Ritter <notifications@github.com>
- Date: Wed, 13 Dec 2017 15:23:19 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/207/351557619@github.com>
I reviewed the documents from a Security/Privacy perspective. https://w3c.github.io/sensors/ Section 4.1.4 and 4.1.5 could go into more detail about what they mean. In 4.0 there is mention of tracking across origin. Cross-Device linking and out-of-band communication is not listed in 4.1. Section 5.6 does not mention two of the mandatory conditions listed in 4.2: Secure Context and Permission has been granted (or decided not to be required). Various similar security checks seem to be missing from the algorithms in 8.1 (which contains only the policy-controlled feature check), 8.2 (which has none), 8.3, and pretty much all 8.x items. I'm not sure if these algorithms should have the security checks, but I'm not sure why not especially when one of the checks is present in 8.1. The timestamp property of a Sensor is a high res timestamp that can be used as the base for various attacks; but this is not mentioned. Sensors that produce regular frequency readings can also be used to build a high-res timestamp. https://w3c.github.io/ambient-light/ Section 3: I seem to recall there was an attack/trick that used ambient light sensor to detect user heartbeat (when one held the phone with one's body covering or near the sensor.) It omits mentioning device fingerprinting. "The generic mitigation strategies are described in the Generic Sensor API [GENERIC-SENSOR]." - should we clarify that these need to be actually enforced. https://w3c.github.io/accelerometer/ "There are no specific security and privacy considerations beyond those described in the Generic Sensor API [GENERIC-SENSOR]." Which are so large and numerable this statement could probably be applied to all of the sub documents. But punting on the specific threats relevant to Acceleraometer does not provide feedback to the implementer as to whether to require a permission prompt; nor does it provide specific recommendations to limit sampling frequency or accuracy. https://w3c.github.io/gyroscope/ "There are no specific security and privacy considerations beyond those described in the Generic Sensor API [GENERIC-SENSOR]." Same concern. https://w3c.github.io/magnetometer/ Security and Privacy Considerations does not make any mention about the difference between calibrated and uncalibrated. I'm skeptical that Calibrated sensors actually entirely eliminate outside interferance of nearby objects, but let's assume it does. It seems like uncalibrated could be used to perform Keystroke Monitoring if you happen to be wearing a peice of jewlery that affects the reading (or maybe even not). Also, exposing the bias values themselves seems concerning and could provide user fingerprinting, cross device linking, and device fingerprinting. It omits mentioning device fingerprinting. https://w3c.github.io/magnetometer/ "There are no specific security and privacy considerations beyond those described in the Generic Sensor API [GENERIC-SENSOR]." Same concern. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/207#issuecomment-351557619
Received on Wednesday, 13 December 2017 23:23:40 UTC