Re: [rtcweb] Notes on security for browser-based screen/application sharing

Ron <ron@debian.org> Fri, 22 March 2013 15:37 UTC

Return-Path: <ron@debian.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6711621F8B71 for <rtcweb@ietfa.amsl.com>; Fri, 22 Mar 2013 08:37:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.423
X-Spam-Level:
X-Spam-Status: No, score=-1.423 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Im6EQ5smB1CL for <rtcweb@ietfa.amsl.com>; Fri, 22 Mar 2013 08:37:54 -0700 (PDT)
Received: from ipmail04.adl6.internode.on.net (ipmail04.adl6.internode.on.net [IPv6:2001:44b8:8060:ff02:300:1:6:4]) by ietfa.amsl.com (Postfix) with ESMTP id 843BA21F8481 for <rtcweb@ietf.org>; Fri, 22 Mar 2013 08:37:54 -0700 (PDT)
Received: from ppp14-2-15-32.lns21.adl2.internode.on.net (HELO audi.shelbyville.oz) ([14.2.15.32]) by ipmail04.adl6.internode.on.net with ESMTP; 23 Mar 2013 02:07:53 +1030
Received: from localhost (localhost [127.0.0.1]) by audi.shelbyville.oz (Postfix) with ESMTP id A392E4F8F3 for <rtcweb@ietf.org>; Sat, 23 Mar 2013 02:07:50 +1030 (CST)
X-Virus-Scanned: Debian amavisd-new at audi.shelbyville.oz
Received: from audi.shelbyville.oz ([127.0.0.1]) by localhost (audi.shelbyville.oz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id S6H9ah8rmvMW for <rtcweb@ietf.org>; Sat, 23 Mar 2013 02:07:49 +1030 (CST)
Received: by audi.shelbyville.oz (Postfix, from userid 1000) id AF52C4F902; Sat, 23 Mar 2013 02:07:49 +1030 (CST)
Date: Sat, 23 Mar 2013 02:07:49 +1030
From: Ron <ron@debian.org>
To: rtcweb@ietf.org
Message-ID: <20130322153749.GD19099@audi.shelbyville.oz>
References: <CABcZeBPs=znh-BUCRoVkPC1UuQt-xxf-COD+SGE59ASBzRZbJQ@mail.gmail.com> <C5E08FE080ACFD4DAE31E4BDBF944EB11342CB58@xmb-aln-x02.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C5E08FE080ACFD4DAE31E4BDBF944EB11342CB58@xmb-aln-x02.cisco.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [rtcweb] Notes on security for browser-based screen/application sharing
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2013 15:37:55 -0000

On Fri, Mar 22, 2013 at 01:50:37PM +0000, Cullen Jennings (fluffy) wrote:
> 
> One comment on this from a requirements point of view…
> 
> Clearly sharking the "desktop" has far more security concerns that sharing a
> single applications such as PowerPoint. All the use cases I am interested in
> only need to share an application not a desktop. I think we should separate
> the handling of permissions along these lines. So I would be fine with "share
> desktop" needed an explicit grant of permission every time it was invoked
> (preferably by the user selecting this as part to choosing what to share in a
> browser chrome window). On the other hand, when sharing an application I
> might be OK with a persistent permission based on an install model but when I
> think about the real uses cases, I'm not sure that is needed if we have a
> good browser based dialog box to pick what will be shared. 
> 
> When the applications being shared is the browser there are also the
> additional problems as you point out. My view of the best way to solve these
> would be to scope the "application" being shared to the origin. What I mean
> by this is assume that I have my browser open to two webpages, one with an
> origin of gmail.com and the other to github.com and I am also running
> powerpoint and word. When the browser pops up a dialog box asking me what I
> wanted to share, it would give me 5 choices "Firefox (Gmail.com)", "Firefox
> (github.com), "Word", "PowerPoint", and "Everything" and let me pick. 

Do you really only have 2 browser tabs and 5 things running on your computer?

If it was to offer me something like that on the machine I'm typing on right
now (which is the one I'd be most likely to want to share something on if I
did), then browser tabs alone would give me a few hundred checkboxes, and if
we add my entire desktop and all the things running on it, then we're well
into Over 9000 territory ...   and I'm not sure I'd _want_ my browser to have
easy access to those things anyway, at least not without a whole lot of clear
opt-in and easy opt-back-out-again going on.

If I was to say I wanted to share my PDF reader, would I really want to share
all of the many dozens of documents currently open in it with a single checkbox?
What is the 'origin' for those if they're all cached on my local disk?

I'm not saying you aren't sort of on the right track here, but that's a data
point for a real world system ...

  Ron