- From: Satish Sampath <satish@google.com>
- Date: Wed, 3 Nov 2010 15:15:35 +0100
- To: Olli@pettay.fi
- Cc: public-xg-htmlspeech@w3.org
> Another possible requirement is that webapps should not know the exact > speech engine installed locally. I mean the vendor and version etc. > There are few reasons for this; webapps should just work everywhere, > no browser/speech engine specific hacks. I agree with this point. > Another reason is that by exposing the exact vendor/version, that would > help hackers to attack against that particular system. > (I assume many speech engines are written in C/C++ or in other unsafe > languages and may not be fuzz tested properly. Well, implementation > done in a memory safe language may still have other security bugs. > I basically want to make a new attack vector a tiny bit harder for hackers.) I think our proposal should not be concerned about bugs in speech service implementations, because they are short term issues and may get fixed soon after they are discovered. > Third reason would be to not add yet another way to fingerprint user. I agree with this view, and I think allowing speech services to return custom fields/parameters in the recognition output can be a way for the web page to identify which speech service is being used.
Received on Wednesday, 3 November 2010 14:16:06 UTC