Re: WebRTC Security Assessment from Bert Bos on 2014-11-27 (public-webrtc@w3.org from November 2014)

From: Bert Bos <bert@w3.org>
Date: Thu, 27 Nov 2014 19:56:31 +0100
To: public-webrtc@w3.org
Message-Id: <201411271956.31797.bert@w3.org>

Jan-Ivar Bruaroey wrote:
> On 11/13/14, 2:17 PM, Stephen Farrell wrote:
> > It's in the nature of this kind of project/report that it's
> > developed over an extended period so with a fast-moving area
> > like this it's not a surprise that stuff gets outdated. We're
> > in any case happy to fix that.
> 
> With respect to the permissions Randell mentions, Firefox never worked 
> the way the report claims, which make the claims wrong, not outdated.
> 
> I agree it's OK to be wrong and fix things, but that's different from 
> claiming it used to be right.

I wrote the original text on which the section about camera permissions in 
the STREWS report[1] (section 3.2) is based. Checking my notes, it appears 
it was in December 2013. I may of course have misinterpreted what I 
observed, but I was pretty careful.

I didn't find an option in Firefox to set permissions permanently for a 
given site or URL. Firefox also didn't distinguish between HTTP and HTTPS 
connections, as Chrome did (which is probably a good thing, in terms of user 
interface, but that aside). And I didn't find a way to revoke permissions, 
other than by closing the browser window. It is possible that closing just 
the tab would have been enough. (I didn't have other tabs open so I didn't 
try that.) But I found no button or menu anywhere in the browser to stop the 
camera.

Firefox is different now: When Firefox 33 asks for permissions, it shows a 
drop-down menu to choose between one-time and permanent permissions. And it 
has a button in the location bar to revoke the permissions.

Unfortunately, I forgot to write down the version of Firefox I tested. 
Looking back through my notes, it actually can't be Firefox 28, as our 
errata say, but probably FF 25 or 26. (We started writing section 3.2 of the 
report in March, i.e., when FF 28 was out, but it re-used my text from 
December.)

The STREWS report wasn't meant to be published this late and we're glad it 
is finally done :-) but we'll add an errata to the PDF, or even make an 
updated version. It is misleading to describe Firefox in the present tense 
when the described version is actually from a year ago.

And b.t.w., thanks for checking the report!

[1] http://www.strews.eu/results/91-d12

Bert
-- 
  Bert Bos                                ( W 3 C ) http://www.w3.org/
  http://www.w3.org/people/bos                               W3C/ERCIM
  bert@w3.org                             2004 Rt des Lucioles / BP 93
  +33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France

Received on Thursday, 27 November 2014 18:57:00 UTC