- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 25 Nov 2013 10:14:29 -0800
- To: cowwoc <cowwoc@bbs.darktech.org>
- Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 25 November 2013 08:56, cowwoc <cowwoc@bbs.darktech.org> wrote: > One thing I didn't understand (and was not explained) is why screen sharing > is substantially more security-sensitive than webcam sharing? I get the fact > that someone could use screen sharing to snoop on my banking activity, but > how is this any more security sensitive than knowing what I look like and > where I live? If the security dialog is good enough for webcam sharing, why > is it not good enough for screen sharing? The difference between screen sharing and media is largely in the way that users comprehend the security issues. It's relatively easy to understand what sharing your image or voice is going to do. Most people just get it straight away: "share the camera? yes/no" is a pretty easy thing to understand. Screen sharing seems obvious, but it is far from it. Sharing what you can see might seem safe, but when a site has the ability to frame in content, capture it, then hide the frame, all without you noticing, the secrets that they can steal are many. Take the cross-site request forgery tokens that many sites with strong security requirements put in HTML (the target of BREACH attacks), adding an iframe with view-source:https://... that briefly shows this would allow sites to hijack sessions. Add eye tracking from your camera, and your chance of noticing the attack approaches zero. You are not the only person to have asked this question, which makes it obvious to me that asking users would be hugely irresponsible. The choice that Justin is making is a step in the right direction, but I still believe it to be insufficient. > And finally, couldn't you simply require the use of SSL for this feature and > then ban malicious applications based on their certificate? How exactly were you going to identify an application as malicious? After they steal someone's life savings? Keep in mind that it's only the matter of milliseconds to stand up a new site with a new certificate.
Received on Monday, 25 November 2013 18:15:13 UTC