Security and privacy considerations #45
Comments
|
We should evaluate the Presentation API using the Strawman Self-Review Questionnaire: Security and Privacy kindly authored by @mikewest. It is preferred to do this sooner rather than later, and for example, present and discuss the results of the evaluation at F2F. All - please let us know if you'd like to help evaluate the spec using the questionnaire 1. |
anssiko
changed the title
|
I'm assigning the issue to myself as no one seems to have jumped on it. I do not claim to have any particular expertise on security and privacy issues but I'll try to follow the existing guidelines and questionnaire, and to use common sense. I'll share evaluation results before the F2F. |
|
Depending on the results of the security and privacy evaluation, the Privileged Contexts [1] spec may become relevant:
It seems the Presentation API ticks some of the boxes in Should [insert feature here] require a privileged context? [2]:
[1] https://w3c.github.io/webappsec/specs/powerfulfeatures/ |
|
What follows is a simple and naïve evaluation of the Presentation API following existing security and privacy guidelines. I tried to link to the relevant issue on GitHub each time, or propose initial thoughts. I'll try to come up with more concrete suggestions but thought this would already be a good start for discussions. Please jump in if I forgot something or got something wrong. Secure ContextsLooking at Secure Contexts. In the list of risks associated with insecure contexts, the Presentation API ticks the boxes:
It is worth noting that the Media Capture and Streams spec requires users permission, allows one to enumerate local media devices and yet does not require a secure context (decision is up to user agents). Self-Review Questionnaire: Security and PrivacyLooking at Self-Review Questionnaire: Security and Privacy Does this specification deal with personally-identifiable information?The Presentation API reveals a bit of information about the presence of secondary devices typically discovered through network discovery. This can be used for fingerprinting. More information may be leaked in the future if some sort of filtering based on capabilities is added to the spec (see #9 How to filter available screens according to the content being presented). Requiring user permission before disclosing that information dismisses the initial purpose of improving the user experience (tracked in #10 Is user permission required to prompt for screen availability information?). A few possible mitigations (not necessarily exclusive):
Does this specification deal with high-value data?No. Does this specification introduce new state for an origin that persists across browsing sessions?The set of presentations that are currently known to the user agent may persist across browing sessions. If we enable cross-origin presentation sessions (tracked in #63 Define (cross) origin relationship between opener and presenting page), the URL to present and the presentation ID are the only information needed to join a session. In other words, a presentation would then not be tied to a particular opening origin. We could restrict the set of presentations that are currently known to the user agent per origin to ensure that a third-party Web site cannot hijack a presentation it did not create, for example by saying that D is represented as a set of tuples (O, U, I, S) where O is the URL of the opening browsing context, and by adjusting algorithms accordingly. The specification is also silent about exchanging information in that set of presentations across user agents to authorize other devices to join an existing presentation but that is envisioned (at least in the charter of the group). The Security and Privacy Considerations section should provide informative guidance as to what constitutes a reasonable context for a Web page to become authorized to control a presentation session. Does this specification expose persistent, cross-origin state to the web?See above discussion on fingerprinting. Does this specification expose any other data to an origin that it doesn’t currently have access to?No. Does this specification enable new script execution/loading mechanisms?No. Does this specification allow an origin access to a user’s location?No. Does this specification allow an origin access to sensors on a user’s device?No. Does this specification allow an origin access to aspects of a user’s local computing environment?Yes. The presentation API abstracts away what "local" means for screens, meaning that it exposes network-based screens as though they were local screens. The Presentation API requires user permission to mitigate issues that could arise here. Does this specification allow an origin access to other devices?Yes but note that exposed devices that are able to render HTML content are already exposed to the web, so the Presentation API does not expose devices to the web that aren't created with the web in mind. This may need to be revisited depending on the outcomes of the discussions in #76 URL schemes supported in presentation API, since custom schemes may mean exposing devices that aren't created with the web in mind. Does this specification allow an origin some measure of control over a user agent’s native UI?It might if we allow the Web application to inject additional cloud-based screens to the list assembled by the user agent's native UI (see #61 Add facility for the opening page to add cloud paired screens as presentation targets). If we do allow that, the spec should clearly label these screens as belonging to the site (as noted in the description of the issue) Does this specification expose temporary identifiers to the web?Not sure what "the web" cover in that question, but note that the presentation URL and presentation ID could be used to connect to a running session from another tab or another user agent. They can easily be retrieved if an attacker can inject content in the page. Again, one possible solution would be to restrict the API over secure contexts. Does this specification distinguish between behavior in first-party and third-party contexts?Not clear whether that applies to the Presentation API How should this specification work in the context of a user agent’s "incognito" mode?The spec should clarify what is to happen to the set of known presentations in "incognito" mode. The spec should also specify the restrictions on the presenting browsing context when the opening browsing context is in "incognito" mode. The spec should also probaby note in the "Security and privacy considerations" section that the content displayed on the presenting context is different from the local one. In particular, if the user is logged in in both contexts, then logs out on opening browsing context, she will not be automatically logged out from the presenting browsing context. Applications that use authentication should pay extra care when communicating between devices. This is being tracked by #14 Define user agent context for rendering the presentation. Does this specification persist data to a user’s local device?Yes, the set of presentations known to the user agent should be cleared when the user requests to "clear browsing data" in particular. Does this specification have a "Security Considerations" and "Privacy Considerations" section?Yes. That's the whole purpose of the exercise. Does this specification allow downgrading default security characteristics?No MiscellaneousMessaging channelSee #80 Define security requirements for messaging channel between secure origins. While the spec will not mandate communication protocols, it should set some guarantees of message confidentiality and authenticity. |
|
Thanks @tidoust, this is very helpful. Since the specific issues are conveniently cross-referenced from the questionnaire, we should (also) discuss the security and privacy implications in the respective issues/F2F slots where it makes sense. |
|
In the corresponding thread on public-webscreens, I summarized the open issues around security and privacy as follows:
|
|
|
|
ACTION: @avayvod to explore browser initiated presentation via declarative approach [recorded in http://www.w3.org/2015/05/19-webscreens-minutes.html#action05] |
|
ACTION: @tidoust to look into WebRTC WG's Audio Output Devices API and its reuse in the context of the Presentation API [recorded in http://www.w3.org/2015/05/19-webscreens-minutes.html#action06]
ACTION: @tidoust tidoust to seek review from PING and Web Security IG when the spec has adapted F2F changes [recorded in http://www.w3.org/2015/05/19-webscreens-minutes.html#action08]
|
|
Ref. my action to look into other specs that have "incognito" requirements, I may have been a bit optimistic... I checked and asked around but could not find a specification that imposes additional requirements for the incognito mode. Which does not mean that we should not. In practice, the Technical Architecture Group (TAG) that develops the Private mode browsing spec and with the Privacy Interest Group (PING) are interested in seeing specifications that use this concept. We should get in touch with both of them to seek feedback and advice once we have some initial wording. |
Issue #45: Security and Privacy Considerations
|
[Since we didn't use a purpose built action tracker and just piggybacked on the GH issues for tracking F2F actions, I took the liberty to just amend the corresponding comment above.] Closed actions from the F2F:
@mfoltzgoogle Thanks for the data. In the light of this, I suggest the group attempts to accommodate both the use cases as proposed.
@tidoust Thanks for looking into this. For the record, the Private Mode Browsing spec is currently very much work-in-progress. The "incognito" requirements should be brought up during the TAG review as they may raise the priority of the said spec, volunteers.
Closed with #104 |
anssiko
changed the title
|
Assuming we plan to have feedback from the PING in time for our F2F, I propose we revisit open issues from the security and privacy considerations section. |
|
Note feedback from TAG, notably on the Private Browsing Mode, in: [[ |
|
Current status re privacy (TL;DR: the PING privacy review results are out):
We should review the results at our upcoming F2F and see how to craft the privacy and security section in the spec (the privacy part of it) based on this guidance. Furthermore, we should evaluate whether these review results motivate any changes to the other sections of the specification. |
|
My main privacy concern with the API as it is currently defined, is that it enables probing which DIAL applications the user has installed on their TV. Especially the fact that this can be done without user interaction is concerning. My main concern here isn't the fingerprinting issue, but rather that this might leak personal information about the user. |
|
Good catch. We should note the probing issue in the Security and privacy considerations section. This was not touched upon by PING, likely since the spec does not mention DIAL explicitly. We could also consider amending the respective algorithms with a note. E.g. in Monitor the list of available presentation displays:
This could be amended with text that makes it clear that the given URL may reveal information about the user's system, e.g. apps installed to handle the specifically crafted URL. Also note the UAs may implement measures to mitigate that and how. If this warrants changes to the algorithm, we should look at that too. |
|
See relevant discussions at TPAC F2F during TAG review, privacy review, security review: ACTION: Mark to define a presenting browsing context that sets an empty initial state. Including storage and permissions. |
|
@mfoltzgoogle and myself discussed privacy implications of the Presentation API with PING last week. Christine will send out an email summary. Draft minutes are available at: The gist of the feedback is that the Second Screen WG is doing well with regards to privacy, having already considered the main privacy issues that the specification raises. The privacy evaluation in itself does not reveal new major issues, although we may of course want to consider a couple of notes in the spec to raise awareness on some of the points. The focus on audio/video streaming was intended: streaming audio/video to a remote device is privacy-sensitive, the user needs to be in control (she is in control with the Presentation API through the selection of the second screen and the fact that the user is asked for each new request). That said, Nick raised a couple of new comments during the discussion that I do not remember having been addressed:
See specific issue for details and discussions. |
|
Status:
I see there are a couple of comments above regarding DIAL URLs and one inline issue, let's address these and then I will move to close this, assuming no outstanding comments.
|
plehegar
added
the
tag-tracker
We should complete the Security and privacy considerations section to the Presentation API once we're better aware of the threats.
The spec has been evaluated against Self-Review Questionnaire: Security and Privacy, with results documented in this issue. Furthermore, the Privacy Interest Group (PING) has produced documentation that may be helpful, namely Fingerprinting Guidance for Web Specification Authors and Privacy Considerations for Web Protocols. The Web Security IG review and PING review of the specification have been initiated. This sections should be crafted based on feedback from the respective reviews.
The text was updated successfully, but these errors were encountered: