Re: [rtcweb] Notes on security for browser-based screen/application sharing

Harald Alvestrand <harald@alvestrand.no> Tue, 26 March 2013 22:27 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C76621F87B1 for <rtcweb@ietfa.amsl.com>; Tue, 26 Mar 2013 15:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.999
X-Spam-Level:
X-Spam-Status: No, score=-109.999 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkwDIBItlRiH for <rtcweb@ietfa.amsl.com>; Tue, 26 Mar 2013 15:27:06 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id A778221F874A for <rtcweb@ietf.org>; Tue, 26 Mar 2013 15:27:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 3C6A439E13B; Tue, 26 Mar 2013 23:27:03 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFDo4HqCp9XX; Tue, 26 Mar 2013 23:27:02 +0100 (CET)
Received: from [IPv6:2001:470:de0a:27:d4a:939a:5855:2ae2] (unknown [IPv6:2001:470:de0a:27:d4a:939a:5855:2ae2]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 035E139E091; Tue, 26 Mar 2013 23:27:01 +0100 (CET)
Message-ID: <515220B5.7000101@alvestrand.no>
Date: Tue, 26 Mar 2013 23:27:01 +0100
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <CABcZeBPs=znh-BUCRoVkPC1UuQt-xxf-COD+SGE59ASBzRZbJQ@mail.gmail.com> <C5E08FE080ACFD4DAE31E4BDBF944EB11342CB58@xmb-aln-x02.cisco.com> <CABcZeBN2R=dKYtoLEstNuT2K89k+Y_gD8_OdRS5MQOJNSzY5Kg@mail.gmail.com> <514C7C51.1000006@cs.tcd.ie> <51520C7C.3030109@mozilla.com> <51520FDC.40608@cs.tcd.ie>
In-Reply-To: <51520FDC.40608@cs.tcd.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Subject: Re: [rtcweb] Notes on security for browser-based screen/application sharing
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 22:27:09 -0000

On 03/26/2013 10:15 PM, Stephen Farrell wrote:
>
> On 03/26/2013 09:00 PM, Timothy B. Terriberry wrote:
>> Stephen Farrell wrote:
>>> Are there other things on the user's device that might
>>> end up being shared? E.g. accelerometers or other sensors.
>>> There have been papers demonstrating that access to such
>>> information can reveal lots of things, e.g. passwords.
>> You mean like <https://bugzilla.mozilla.org/show_bug.cgi?id=681562>?
> Yep. Are the use-cases in webrtc for that kind of sensor
> data to be made available over the n/w or is it all handled
> locally?

I think the DAP WG in the W3C is the right place to address APIs for 
sensor data.
They're one of the parent WGs of the Media Capture Task Force, which is 
charged with getting the specs right for getusermedia, so one would 
assume they're aware of the discussions there.

But in my opinion, neither the WEBRTC WG nor the RTCWEB WG have this in 
their charters.

I advocate separation of concerns; if people want to work on this, go there.

>
> Ta,
> S.
>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>>
>>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb