Re: [rtcweb] Why persistent consent for HTTP is a problem
Stefan Hakansson LK <stefan.lk.hakansson@ericsson.com> Wed, 27 June 2012 08:21 UTC
Return-Path: <stefan.lk.hakansson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 095D921F8518 for <rtcweb@ietfa.amsl.com>; Wed, 27 Jun 2012 01:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.799
X-Spam-Level:
X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[AWL=-0.850, BAYES_00=-2.599, HELO_EQ_SE=0.35, MANGLED_HERE=2.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hi5QUplZkKYz for <rtcweb@ietfa.amsl.com>; Wed, 27 Jun 2012 01:21:56 -0700 (PDT)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id 3613B21F8678 for <rtcweb@ietf.org>; Wed, 27 Jun 2012 01:21:54 -0700 (PDT)
X-AuditID: c1b4fb25-b7fbf6d000002e5d-3b-4feac2a0efc0
Received: from esessmw0197.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id 6B.D7.11869.0A2CAEF4; Wed, 27 Jun 2012 10:21:53 +0200 (CEST)
Received: from [150.132.142.229] (153.88.115.8) by esessmw0197.eemea.ericsson.se (153.88.115.88) with Microsoft SMTP Server id 8.3.264.0; Wed, 27 Jun 2012 10:21:52 +0200
Message-ID: <4FEAC29F.9040406@ericsson.com>
Date: Wed, 27 Jun 2012 10:21:51 +0200
From: Stefan Hakansson LK <stefan.lk.hakansson@ericsson.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CABcZeBNFVqSS8p+NGmz=BKxhAg5Cf6rc51fTbTTx60jLh4hitg@mail.gmail.com> <4FEA4B2B.6000203@alcatel-lucent.com>
In-Reply-To: <4FEA4B2B.6000203@alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJJMWRmVeSWpSXmKPExsUyM+Jvre7CQ6/8DS48YLZY+6+d3YHRY8mS n0wBjFFcNimpOZllqUX6dglcGSe2n2QrmC5esWH/K/YGxgdCXYycHBICJhIzr01hh7DFJC7c W8/WxcjFISRwilHiRHsfO4SzllFi1rlZTCBVvALaEgc7+9lAbBYBVYlDv3+B2WwCNhJru6cA 1XBwiAqESUzfyQ5RLihxcuYTFhBbREBYYuurXrAxwgJOEk1zZ7KClAsJlEk8XSMCEuYUMJL4 0fAJrJxZwFbiwpzrULa8xPa3c5hBbCEBXYl3r++xTmAUmIVkwywkLbOQtCxgZF7FKJybmJmT Xm6kl1qUmVxcnJ+nV5y6iREYfAe3/FbdwXjnnMghRmkOFiVxXuute/yFBNITS1KzU1MLUovi i0pzUosPMTJxcEo1ME7c097XNbG7VGdTp/GlbQIZxs6aWa+X8Lc0zTzYcbooVejTEvXTMolH Hr18tjfhonIx93G5OzsNNyvsNU9JNHp9423vBtW+fZu7Y8pKSzl7vor+fmjwdJKf8QGuy0vv zK+VlJeZlC/+eHbdAe0DV8IevwqRClEOvXGkejr7j0U3wyPfTe1dWa3EUpyRaKjFXFScCADp 0x7sDAIAAA==
Subject: Re: [rtcweb] Why persistent consent for HTTP is a problem
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2012 08:21:58 -0000
Would it be feasible to allow only pages delivered over https to use persistent consent? (I think that in certain situations it could be annoying to have to give consent every time) Stefan On 06/27/2012 01:52 AM, Igor Faynberg wrote: > Not only that, but I find it hard to understand why anyone would need to > give persistent consent for accessing media devices to any device. > > I also thought the issue was closed for good. > > (Sorry, I could not be present at the intereem meeting, even remotely...) > > Igor > > On 6/26/2012 6:59 PM, Eric Rescorla wrote: >> In Martin's review of draft-ietf-rtcweb-security-arch, he (re)raised >> the question of persistent consent for camera/microphone access from >> pages served over HTTP. I had thought this issue closed, but in the >> discussion at the interim there seemed to be a fair amount of >> sentiment that people hadn't understood the security issues and now >> believed that this was a bad idea. I agreed to attempt to re-start the >> discussion with a clearer description of what the problem was, hence >> this message. >> >> Here's the basic attack: >> Say that I have given persistent permission to access my camera and >> microphone to any page from http://www.example.com/. Now, I go to an >> Internet cafe and surf to *any* HTTP page, e.g., >> http://www.google.com/. At this point, any attacker who controls the >> wireless network can redirect that access to point to >> http://www.example.com/ and inject JS that reads from my camera and >> microphone. >> >> That's pretty bad, but made worse by the following facts: >> 1. It's not that hard for the attacker to open up >> popups/popunders/iframes, etc. that are in the domain of example.com >> but actually execute code from the attacker. So, once you've opened >> the browser in a hostile environment, the attacker can bug you at >> times of his choosing until you close your browser. >> >> 2. If your browser does any sort of auto-refresh (e.g., because >> the page refreshes itself) then you can get infected even if you >> don't do anything deliberate. >> >> 3. This also applies if you are using any kind of open wireless >> network, such as if your home network doesn't use a strong >> enough WPA key. >> >> >> So, the executive summary is: if you have a persistent permission >> for an HTTP site, and you ever use your browser on any insecure >> network, an attacker can bug your computer until you close your >> browser. This seems bad. >> >> Does this change people's opinions about what the rules should be >> about whether browsers permit persistent HTTP permissions? >> >> -Ekr >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb >
- [rtcweb] Why persistent consent for HTTP is a pro… Eric Rescorla
- Re: [rtcweb] Why persistent consent for HTTP is a… Igor Faynberg
- Re: [rtcweb] Why persistent consent for HTTP is a… Stefan Hakansson LK
- Re: [rtcweb] Why persistent consent for HTTP is a… Eric Rescorla
- Re: [rtcweb] Why persistent consent for HTTP is a… Bernard Aboba
- Re: [rtcweb] Why persistent consent for HTTP is a… Kevin P. Fleming
- Re: [rtcweb] Why persistent consent for HTTP is a… Martin Thomson
- Re: [rtcweb] Why persistent consent for HTTP is a… Igor Faynberg
- Re: [rtcweb] Why persistent consent for HTTP is a… Martin Thomson
- Re: [rtcweb] Why persistent consent for HTTP is a… Cullen Jennings
- Re: [rtcweb] Why persistent consent for HTTP is a… Göran Eriksson AP
- [rtcweb] JSEP-01 Handling Early Media, using SIP,… Anne Raby
- Re: [rtcweb] JSEP-01 Handling Early Media, using … Iñaki Baz Castillo
- Re: [rtcweb] JSEP-01 Handling Early Media, using … Olle E. Johansson
- Re: [rtcweb] JSEP-01 Handling Early Media, using … Iñaki Baz Castillo
- Re: [rtcweb] JSEP-01 Handling Early Media, using … Olle E. Johansson
- Re: [rtcweb] JSEP-01 Handling Early Media, using … Anne Raby