Add fingerprinting section to PTZ explainer #231
Conversation
beaufortfrancois
force-pushed
the
fingerprinting
branch
2 times, most recently
from
2deb7d6 to
196d982
Compare
beaufortfrancois
force-pushed
the
fingerprinting
branch
from
196d982 to
317179a
Compare
| constraints as "ideal" in `getUserMedia` as suggested in | ||
| [#229](https://github.com/w3c/mediacapture-image/issues/229). | ||
|
|
||
| 1. A malicious website could set pan, tilt, and zoom to minimally different values |
There was a problem hiding this comment.
I think this scenario can be expanded beyond just an evil.com maintaining its own state into an evil.com 3P plug-in that enables leaking the HW state across origins.
E.g., if origins A and B both simultaneously open media streams where A sets PTZ to values {X, Y, Z}, while B reads the current PTZ state, A can leak a large number of bits to B, enabling correlating user IDs between origins.
If these bits are only accessible after the top-level origin has permissions to use the camera, that may not be that bad. Still worthwhile mentioning IMO.
I'm also interested in @JensenPaul's opinions on this.
There was a problem hiding this comment.
if origins A and B both simultaneously open media streams where A sets PTZ to values {X, Y, Z}, while B reads the current PTZ state
It seems not great that two different web pages get access to the PTZ at the same time. Should that be prevented? Safari is for instance muting a page capture if a new page starts to capture.
There was a problem hiding this comment.
Thanks for the hint @youennf
I've just tried it and Safari indeed "pauses" camera feed when camera is accessed from another page to avoid this issue. Note that this is not exposed to web developers though: the mediastreamtrack is not "ended".
There was a problem hiding this comment.
I'm about to add this to the explainer. WDYT?
1. Websites from different origins could share pan, tilt, and zoom real-time values during a media session. A way of mitigating this would be to allow only one origin at a time to access and control camera PTZ.
There was a problem hiding this comment.
Note that this is not exposed to web developers though: the mediastreamtrack is not "ended".
This is exposed using mute/unmute events. User Agent UI allows unmuting a given page, hence why tracks do not get ended.
Your description sounds like a good addition to me. The notion of origin is a bit vague for third-party iframes in that context but that could be refined later on. I would also mention the possibility to restrict to one top-level browsing context at a time.
There was a problem hiding this comment.
Thanks @youennf! Pausing the input (from camera, PTZ, etc) makes sense to me as a proper mitigation. Does that mean that only the foreground tab gets the actual stream input?
In the case of PTZ, it would also mean that the values should be reset to the ones previously set by the origin that can access the data. Essentially, we should treat the PTZ settings as a cached value and isolate that cache to the top-level origin.
There was a problem hiding this comment.
Does that mean that only the foreground tab gets the actual stream input?
Safari does not automatically mute/unmute when user switches tabs but I could see other implementations doing so. This is User Agent land really. The spec could say when to mute (for instance if PTZ capture starts/restarts) and leave the exact unmute heuristic to the User Agent.
riju
added
PTZ
There was a problem hiding this comment.
@engedy / @andypaicu : Should have a look also.
Maybe out of scope for an explainer, but we can learn from Privacy folks if we can estimate how many entropy bits are added to the fingerprinting vector due to PTZ capability using tools like https://panopticlick.eff.org/
|
Note that I've started a separate PR for the security section of the PTZ explainer at #232 |
|
@riju please merge. One nit, we may want to rename "fingerprinting" section to "privacy mitigations" in the future. |
No description provided.