- From: simoneonofri <notifications@github.com>
- Date: Mon, 22 Apr 2024 03:19:56 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/932/2069024041@github.com>
Hello @anssiko, @ibelem, @backkem, and @wangw-1991, The work looks very interesting to me, congratulations. Regarding security and privacy, could you include a specific threat model for this issue? In addition to the typical cases already in the Open Screen Protocol (e.g., Passive Network Attackers, Active Network Attackers, DoS), it would be interesting to consider possible Abuse of Functionalities (so what a threat actor can implement with this technology) and reason about mitigations. To give some examples: - It could certainly be interesting as a P2P communication method during an attack, as it is currently used SMB for [Protocol Tunneling](https://attack.mitre.org/techniques/T1572/) - Used the [Discovery](https://attack.mitre.org/tactics/TA0007/) phase, and then for fingerprinting the devices present but also for doing user profiling (if you always have the same devices present), as mentioned in [12.2 Personally identifiable information](https://wicg.github.io/local-peer-to-peer/#security-and-privacy-considerations) - Could have some similarities with [UPnP](https://datatracker.ietf.org/doc/html/rfc6970#section-6) Thank you! -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/932#issuecomment-2069024041 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/932/2069024041@github.com>
Received on Monday, 22 April 2024 10:20:00 UTC