- From: Justin Uberti <juberti@google.com>
- Date: Tue, 26 Nov 2013 08:45:14 -0800
- To: cowwoc <cowwoc@bbs.darktech.org>
- Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>
- Message-ID: <CAOJ7v-2qNKp2WhOHv4+oZY0QhKdUaVenJSTXH384nw8X=3TguA@mail.gmail.com>
No, you aren't safe. screenshare.com could IFRAME in bank.com and then you're hosed. Basically, anything that has the ability to screenshare can open ANY WEB SITE of its choosing in an IFRAME - and because it will use the same browser context, it will already be authenticated - making it trivial to capture sensitive information. On Tue, Nov 26, 2013 at 1:07 AM, cowwoc <cowwoc@bbs.darktech.org> wrote: > On 26/11/2013 3:42 AM, Harald Alvestrand wrote: > > On 11/26/2013 09:09 AM, cowwoc wrote: > > Hi Justin, > > On 25/11/2013 6:58 PM, Justin Uberti wrote: > > Others have already made the points I was going to, but I'll summarize: > - Screensharing is more dangerous than webcam access, because the attacker > can record the screen, AND control what is displayed on it. > > > Agreed but only if you interpret screen-sharing as co-browsing. It is > possible to limit screen-sharing to read-only screen recording, without the > ability to control what is being displayed on it, in which case none of > these security concerns exist. > > > Gili, it's a JAVASCRIPT APPLICATION. > > What Javascript applications do in general is to control what the browser > shows on the screen. > > Unless you want to limit screencasting to 'casting everything EXCEPT for > the browser (a very marginal use case, and totally inconsistent with > everything people are currently deploying screencasting for), the > Javascript will be able to control whatever Javascript is usually able to > control. > > Please think this through. > > Harald, > > You seem to be misunderstanding what I had in mind. I'm talking about the > following: > > Alice opens bank.com in tab 1, screenshare.com in tab 2. She instructs > the WebRTC application in tab 2 to screen-share tab 1. It is my > understanding that Javascript cannot do cross-tab scripting, and as such > we'd be safe. The cross-tab operation is being implemented by the browser, > not Javascript. > > Gili >
Received on Tuesday, 26 November 2013 16:46:04 UTC