W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > February 2019

Re: [mediacapture-main] Mitigate fingerprinting from OverconstrainedError in gUM(). (#564)

From: youennf via GitHub <sysbot+gh@w3.org>
Date: Thu, 14 Feb 2019 17:18:45 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-463712683-1550164724-sysbot+gh@w3.org>
This PR tries to mitigate information leakage in the case enumerateDevices does not stop leaking information.

Even with this PR though, one could silently learn some information about the device setup that cannot be gathered from enumerateDevices.
For instance, by mixing width constraint with deviceId constraint, a script could potentially distinguish cases like 720p vs 1080p cameras with no prompt triggered:
- If constraintName is width (length of failedConstraints is 2), capture at that resolution is not supported.
- If constraintName is deviceId (length of failedConstraints is 1), capture at that resolution is supported.

The fingerprinting statement is good to have.
I wonder whether this is the error that silently gives fingerprint information or just failureConstraint. If it is the latter, we could be more explicit in the statement.

It would be nice to add some mitigation to this fingerprinting, for instance:
"User agents MAY tamper the value of failedConstraint as a fingerprinting mitigation".

-- 
GitHub Notification of comment by youennf
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/pull/564#issuecomment-463712683 using your GitHub account
Received on Thursday, 14 February 2019 17:18:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 4 June 2019 15:32:55 UTC