W3C home > Mailing lists > Public > public-webrtc@w3.org > November 2013

Re: Why does screen sharing require a browser extension?

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 27 Nov 2013 13:05:25 -0800
Message-ID: <CABkgnnVehSWyWkFoeTnouD=o38jnLQLmTWyk8uPgfz1Ai_=fOw@mail.gmail.com>
To: Steve Kann <stevek@stevek.com>
Cc: cowwoc <cowwoc@bbs.darktech.org>, Justin Uberti <juberti@google.com>, Lorenzo Miniero <lorenzo@meetecho.com>, Silvia Pfeiffer <silviapfeiffer1@gmail.com>, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 27 November 2013 12:45, Steve Kann <stevek@stevek.com> wrote:
> In a world where so many of people’s valuable information is available and
> controllable through the web, doesn’t the fact that I can see and control
> your browser already provide a pathway to deleting all of my google docs,
> viewing my bank records, or accessing my corporate intranet?

That's simply not true.  The web provides a number of protections that
prevents that sort of thing happening.  What you are specifically
asking for here, whether you are aware of it or not, is an end-run
around all those protections.

> In order for this to be “safe”, the user needs to trust:
> The application they are using:   Consider they are using a web conferencing
> application provided by their school or place of business.
> The user to whom they are granting control:  Consider that they are granting
> control to their instructor, or to a trusted colleague.

That is not sufficient.  They also need to trust the software that the
other user is using, plus the network protocols that are being used
(authentication, confidentiality and integrity protection would be a
good start, but even then it gets tricky when you are talking about
confusable characters...)

What you are doing here is asking a user to make a multivariate
assessment of all of these factors and then make a decision based on
that whether to open themselves to the risk of near complete disaster
based on that assessment.  No.

> Non-web applications have been providing this functionality for eons, and
> have demonstrated the demand for it.   What unaddressable security risk are
> we adding here that Lync does not suffer from because of the same feature?

Lync doesn't operate on the web.
Received on Wednesday, 27 November 2013 21:05:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:36 UTC