W3C home > Mailing lists > Public > public-webrtc@w3.org > April 2014

Re: Security considerations - a proposal

From: Harald Alvestrand <harald@alvestrand.no>
Date: Wed, 23 Apr 2014 18:27:46 +0200
Message-ID: <5357EA02.8000506@alvestrand.no>
To: Martin Thomson <martin.thomson@gmail.com>
CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 04/23/2014 06:20 PM, Martin Thomson wrote:
> On 23 April 2014 04:53, Harald Alvestrand <harald@alvestrand.no> wrote:
>> Security considerations
> Most of these considerations are comm-sec issues that are already
> handled in various IETF documents.
>
> I've no fundamental objection to that, particularly as a set of
> pointers, but I think that the focus needs to be on the web platform.
> There are probably a bunch of web platform issues that we need to
> highlight.  One that springs to mind is the range of concerns around
> user consent or lack thereof.  Noting that a data channel can be
> created to an arbitrary peer without user consent, and why, might go
> some way to addressing a commonly raised, but invalid concern.  Less
> necessary, but in a similar vein, is discussion of access to
> processing and bandwidth resources.
At the moment, we don't have any user consent features in the webrtc 
part of WebRTC, and I'd like to keep it that way. It could be good to 
make that decision explicit here.

>
> One such concern here is that this API enables the distribution of
> media to other entities.  The security properties of the web demand
> that cross origin content be inaccessible to content.  Some text on
> that subject is probably appropriate.  (Yes, you can stick me with
> that last one, but it might take me a little while.)

I'll try to say something based on stream isolation properties 
(including that streams by default can be sent to anyone), and then 
challenge you to get the functions right to support what I've written :-)
Received on Wednesday, 23 April 2014 16:28:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:38 UTC