- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 16 Nov 2012 18:06:31 +0000 (UTC)
- To: David Barrett-Kahn <dbk@google.com>
- Cc: whatwg@lists.whatwg.org
On Thu, 15 Nov 2012, David Barrett-Kahn wrote: > > Ian, I'd be interested in what you had in mind when you said 'a lot of > user opt-in'. I don't know, exactly. It has to be something where we're confident that the user understands that he is about to send sensitive information to a stranger. The concern isn't when this is used by a company like Apple or Facebook; the worst such companies are going to do with sensitive data is target ads better or make their products more streamlined. The concern is when some attacker wants to get information about your company's intranet's topology, or wants to know what potentially vulnerable plugins or extensions you have installed, or wants to know what software you are running, so that they can more precisely target you. Such an attacker can trivially provide you with a game to play, and then have the game crash, misleading you into thinking they're a perfectly honest game developer and causing you to eagerly send them all the sensitive information they want. These are not hypothetical concerns. Over the last few years, targetted attacks of this nature have become much more common and are a real threat. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 16 November 2012 18:25:41 UTC