On 3/10/15 8:05 AM, Aryeh Gregor wrote:
So the mitigation applies when:

1) Some users have already persisted the permission for the site.

2) The site asks for the permission either predictably or infrequently
enough that the user is not conditioned to just click "yes" every time
anyway.

The mitigation applies in this situation:

1)  User connects to a MITMed network (e.g. wireless at the airport or
    coffeeshop or whatever) which I will henceforth call "the attacker".
2)  No matter what site the user loads, the attacker injects a hidden
    iframe claiming to be from hostname X that the user has granted a
    persistent permissions grant to.
3)  The attacker now turns the camera/microphone/whatever.

A limitation on the mitigation is that if the site asks for the
permission during regular use, the attacker could just make sure that
their permissions request appears at that time, and the user would
click "yes" because they expect the request at that time anyway.
However, this would require the attacker to do some more work, and
would only work some of the time (if the site is expected to ask for
the permission during the MITM'd session).

Right, and only work if the user loads such a site themselves on that network. If I load cnn.com and get a popup asking whether Google Hangouts can turn on my camera, I'd get a bit suspicious... (though I bet a lot of people would just click through anyway).

"Switch to HTTPS" is not a reasonable solution.

Why not?

Another point to make is that whenever the site actually requests the
info legitimately (takes a picture, gets geolocation info, etc.), even
a passive MITM could steal the info anyway.

Yes, see my attack scenario above.

I definitely think that there is no basis at all for disabling pop-up
permissions or other things that only affect user convenience.

I agree.

-Boris
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to