- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 4 Feb 2015 17:28:52 +1100
- To: Harald Alvestrand <harald@alvestrand.no>
- Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 4 February 2015 at 16:47, Harald Alvestrand <harald@alvestrand.no> wrote: > We have discussed this before, and concluded that a confirmation dialog > makes no more sense than having a confirmation dialog for performing an > XHR request or opening a Websocket - neither of which requires > confirmation dialogs today. Yes. Every time something like this comes up, someone inevitably suggests that asking users is an acceptable way to deal with it, as if somehow that transfers the responsibility for solving the problem onto users. Even if we could communicate the risks effectively, which I don't believe we can, I still wouldn't be in favour of a dialog. There are two concerns here: 1. fingerprinting - for which I believe the only recourse is to disable the feature. The combination of device enumeration and SDP provides a fairly rich surface even without IP addresses. 2. exposure of privacy-VPN users. This latter is what people seem most concerned with at this point in time. And I'm not against someone building options into their browser to manage this. That, or, if the VPN is for privacy-preserving purposes, the interfaces that are potentially revealing could be disabled. Neither option requires action by this group.
Received on Wednesday, 4 February 2015 06:29:19 UTC