Re: Why does screen sharing require a browser extension? from cowwoc on 2013-11-26 (public-webrtc@w3.org from November 2013)

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Tue, 26 Nov 2013 02:37:17 -0500
To: public-webrtc@w3.org
Message-ID: <52944FAD.5090206@bbs.darktech.org>

On 25/11/2013 4:57 PM, Harald Alvestrand wrote:
>> This contradicts Justin's argument as I understood it. He stated that
>> by moving the code from JS into a browser extension Google could ban
>> malicious apps as they are found. I don't see the difference between
>> enforcing bans by way of extensions or by way of having developer
>> asking the app store to approve their application (point to an
>> external address + SSL certificate) and then if the application is
>> found to be malicious simply ban all apps associated with the SSL
>> certificate. This way Google still gets to review apps, ban the ones
>> that are malicious, and users don't need to go through the hassle of
>> installing a plugin.
> When there's no application to install, what constitutes "the app", exactly?

I believe that certificates can be issued against specific domains, or 
sub-domains, or wildcards for multiple sub-domains. More on this below.

> A SSL certificate does not form a contract between anyone except the
> certificate issuer and the private-key owner.
>
> An application present in an app store indicates that the application
> owner has agreed to the terms and conditions for that app store, which
> usually gives the app store owner the explicit right to take down the
> application if it is found to be malicious.

I am proposing the following:

 1. I deploy a website at widgets.com containing one or more web
    applications.
 2. I send Chrome's App Store my certificate, indicating that I plan to
    use it for widgets.com
 3. Depending on whether you plan to whitelist or blacklist apps,
    Chrome's team would review widgets.com before accepting its certificate.
 4. Once the certificate is accepted, any user hitting widgets.com will
    be able to use screen capturing without installing any plugin.
 5. If somewhere down the line one of the apps hosted off widgets.com is
    found to malicious, the associated certificate is removed from the
    app store. Anyone hitting widgets.com will get a warning dialog
    explaining that the website was found to contain malicious content
    (similar to what Chrome displays today for websites containing malware).

Gili

Received on Tuesday, 26 November 2013 07:38:18 UTC