Re: Why does screen sharing require a browser extension? from cowwoc on 2013-11-26 (public-webrtc@w3.org from November 2013)

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Tue, 26 Nov 2013 15:35:35 -0500
To: Justin Uberti <juberti@google.com>
CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <52950617.4050405@bbs.darktech.org>

Good point. So I advocate Martin Thomson's approach instead.

Gili

On 26/11/2013 11:45 AM, Justin Uberti wrote:
> No, you aren't safe. screenshare.com <http://screenshare.com> could 
> IFRAME in bank.com <http://bank.com> and then you're hosed.
>
> Basically, anything that has the ability to screenshare can open ANY 
> WEB SITE of its choosing in an IFRAME - and because it will use the 
> same browser context, it will already be authenticated - making it 
> trivial to capture sensitive information.
>
>
>
> On Tue, Nov 26, 2013 at 1:07 AM, cowwoc <cowwoc@bbs.darktech.org 
> <mailto:cowwoc@bbs.darktech.org>> wrote:
>
>     On 26/11/2013 3:42 AM, Harald Alvestrand wrote:
>>     On 11/26/2013 09:09 AM, cowwoc wrote:
>>>     Hi Justin,
>>>
>>>     On 25/11/2013 6:58 PM, Justin Uberti wrote:
>>>>     Others have already made the points I was going to, but I'll
>>>>     summarize:
>>>>     - Screensharing is more dangerous than webcam access, because
>>>>     the attacker can record the screen, AND control what is
>>>>     displayed on it.
>>>
>>>     Agreed but only if you interpret screen-sharing as co-browsing.
>>>     It is possible to limit screen-sharing to read-only screen
>>>     recording, without the ability to control what is being
>>>     displayed on it, in which case none of these security concerns
>>>     exist.
>>
>>     Gili, it's a JAVASCRIPT APPLICATION.
>>
>>     What Javascript applications do in general is to control what the
>>     browser shows on the screen.
>>
>>     Unless you want to limit screencasting to 'casting everything
>>     EXCEPT for the browser (a very marginal use case, and totally
>>     inconsistent with everything people are currently deploying
>>     screencasting for), the Javascript will be able to control
>>     whatever Javascript is usually able to control.
>>
>>     Please think this through.
>>
>     Harald,
>
>     You seem to be misunderstanding what I had in mind. I'm talking
>     about the following:
>
>     Alice opens bank.com <http://bank.com> in tab 1, screenshare.com
>     <http://screenshare.com> in tab 2. She instructs the WebRTC
>     application in tab 2 to screen-share tab 1. It is my understanding
>     that Javascript cannot do cross-tab scripting, and as such we'd be
>     safe. The cross-tab operation is being implemented by the browser,
>     not Javascript.
>
>     Gili
>
>

Received on Tuesday, 26 November 2013 20:36:36 UTC