On Sat, Mar 7, 2015 at 11:48 AM, Aryeh Gregor <a...@aryeh.name> wrote:
> On Fri, Mar 6, 2015 at 7:27 PM, Anne van Kesteren <ann...@annevk.nl> > wrote: > > A large number of permissions we currently allow users to store > > persistently for a given origin. I suggest we stop offering that > > functionality when there's no lock in the address bar. This will make > > it harder for a network attacker to abuse these permissions. This > > would affect UX for: > > > > * Geolocation > > * Notification > > * Fullscreen > > * Pointer Lock > > * Popups > > What attack is this designed to mitigate? If the user allows an > unsecured site to use (for instance) geolocation, whether persisted or > not, an MITM will be able to get the geolocation info as long as > they're intercepting the traffic, right? And if they have some way to > persist their scripts via injecting modified resources with long cache > timeouts or such, they can still get the info as long as the user > keeps clicking "yes". And the user will definitely keep clicking yes, > because a) they clicked it the first time, and b) you have conditioned > them to click "yes" a million times on the same site. So how does not > persisting this info help at all? Probably I'm missing something > obvious. Let's consider a different example than the one you propose: access to the camera and microphone via getUserMedia(). Say that a site adds a feature which lets you take a picture of yourself for your avatar (come to think of it, I wish github did this). If the permissions are persistent, then the site (or if HTTPS isn't used, any network attacker) can access my camera and see what's going on in my room at any time [0] and largely without my knowledge. By contrast, if I need to click OK in order to give a remote site access to my camera (even if I generally do consent without much thought) this makes the attack much more difficult to mount. A similar set of argument seem to me to apply to geolocation. It's one thing to give a temporary grant of access, and quite another to let any network attacker track me whenever they want. -Ekr P.S. Anne, thanks for raising this issue. [0] This isn't a hypothetical kind of attack. See, for instance the description of ratters in Brocker and Checkoway. page 11. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/brocker _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
