On 1/4/11 5:48 AM, Diogo Resende wrote:
Flash is insecure because there's no security policies. It's similiar to
the firefox feature to read files: you read all or you read none. That's
not a good policy. Something similar to the geolocation would be better
(this specific site/app can access this specific device).
The problem with adding more capabilities like this in an ad-hoc way is
that it involves user trust, and worse yet it involves trust in things
the user can't audit and won't realize they're trusting.
For example, say www.foo.com requests access to the user's USB devices.
If the user allows the request, then they are trusting that:
1) The site is not malicious (this is the part the user probably
thinks about when deciding to trust).
2) The site is loaded securely (entirely over https:). If not,
there's no guarantee you're talking to the right site.
3) The site has no script-injection vulnerabilities.
4) The site won't be hacked.
5) All the user's CAs are aboveboard and not cooperating with the ISP
to fake sites (not a given in some countries!).
There are likely a few other things being trusted here that I'm not
thinking of; I can guarantee that typical users won't think of #3-5
above, and many won't think of #2 above.
I realize that _you_ trust #2-4 about your own web site. But frankly,
history says I shouldn't thus trust your site....
Perhaps we need a stronger model where permission to access devices is
granted not to an origin but to a particular script (with the hash of
the script stored and permission denied on hash mismatch or something).
I don't know. But granting blanket access to an entire origin seems
questionable to me.
-Boris
