Re: What is missing for building "real" services? from Jan-Ivar Bruaroey on 2014-01-12 (public-webrtc@w3.org from January 2014)

From: Jan-Ivar Bruaroey <jib@mozilla.com>
Date: Sun, 12 Jan 2014 17:19:25 -0500
To: Silvia Pfeiffer <silviapfeiffer1@gmail.com>
CC: public-webrtc <public-webrtc@w3.org>, Alexandre Gouaillard <agouaillard@gmail.com>, Randell Jesup <randell-ietf@jesup.org>
Message-ID: <52D314ED.9070308@mozilla.com>

On 1/10/14 7:22 PM, Silvia Pfeiffer wrote:
>
> On 11 Jan 2014 06:55, "Jan-Ivar Bruaroey" <jib@mozilla.com 
> <mailto:jib@mozilla.com>> wrote:
> >
> > On 1/9/14 8:22 PM, Alexandre GOUAILLARD wrote:
> >>
> >> 3. See this entire e-mail as an expression of my frustration:
> >> - yes, everybody agrees it s important
> >> - yes, chrome as *an* implementation
> >> - yes, we all agree it's sensitive, and there are a lot of 
> identified scenarii where things would go wrong.
> >> but can we for the love of all the good things out there, not stay 
> stuck at the above three lines and come up with something, anything, 
> that enable it without a plugin or an extension (but with care and 
> with some fences around it to prevent).[...]
> >>
> >>
> >> I certainly don't know enough about the subject even though I read 
> all the cited draft, specs and related discussion online, and I don;t 
> have the experience that some (most) of you guys here have. But It 
> does not mean I don't have a point. I also do not pretend to know 
> enough, and I would have no problem joining any kind of informal task 
> force including chrome and mozilla people, at anytime of the day or 
> night (I'm 15 hours away from pacific time) and try super hard to 
> understand all aspects, if such a task force was set up with the will 
> to find a way to make it happen. I can even code parts and/or dedicate 
> staff to this. I just would like to see something coming else than 
> making a plugin.
> >
> >
> > This is the task force. The place to solve this is here.
> >
> > It's not that hard to understand:
> >
> > A webpage today is allowed to manipulate content it cannot see. It 
> can make your bank-account page dance across your screen, but it 
> cannot see it. Screengrabbing is like giving it a mirror. With that 
> mirror, it can target and grab all your online information in a 
> flickeringly short second. Explain that to people.
>
> What happened to the idea of blacking out all tabs that don't have an 
> explicit permission set, e.g. something like a meets tag of 
> "screensharing=allow"? I thought that would mediate this issue.
>

If it defaulted to "screensharing=disallow" then I would agree. But I 
like the idea. Is there no existing "possibly sensitive information" tag 
or formula we could key off of for a better default? A whitelist of bank 
sites?

> Silvia.
>

.: Jan-Ivar :.

Received on Sunday, 12 January 2014 22:19:52 UTC