wser-to-browsers calls, especially
with untrusted JS code.
(Note that the Threat Model for rtcweb (IETF's part of WebRTC) is the JS
code is untrusted and may be evil or compromised; see the IETF security
drafts for rtcweb for details.)
--
Randell Jesup, Mozilla Corp
remove ".news"
to a "safe" implementation, and if it was "safe"
users would probably hate it.
If they can be made to work... then maybe I can be convinced. I'm less
enamoured of them than I was back then. No matter how many you try to
think of, there will be uses that don't fit your
ach call, and
app developers will not want to have "fixed" call/end buttons they can't
style (and I don't think this works anyways).
This *is* a dangerous ability to give, though it's equivalent to what
users grant Skype or WebEx or Hangouts already by installing them
(
r WebEx or Hangouts already by installing them
(perhaps less, actually).
--
Randell Jesup, Mozilla Corporation
Remove ".news" for personal email
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
ther tab or
window, and perhaps in the system tray as well - and this requirement is
especially problematic for mobile apps.)
--
Randell Jesup, Mozilla Corporation
Remove ".news" for personal email
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
ould also note that WebRTC is trying to make a minimum set of
security requirements, though it leaves the mechanism and UIs up to the
browser. See http://tools.ietf.org/html/draft-ietf-rtcweb-security-02
--
Randell Jesup, Mozilla Corporation
Remove ".news" for personal email
_
ory issues are quite different from
country to country.
--
Randell Jesup, Mozilla Corp
remove ".news" for personal email
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
he issues and some possible solutions (leveraging
cross-origin controls) are detailed in my slides here:
http://www.ietf.org/proceedings/interim/2012/01/31/rtcweb/slides/rtcweb-2.pdf
My apologies for complicating the issue, but we need the solution for
image/video capture to not box in the de
ory issues are quite different from
country to country.
--
Randell Jesup, Mozilla Corp
remove ".news" for personal email
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
ted it, and with a timeout they have little time to
read it, or to consider, or to see if they should trust (check online
resources about "is this app trustworthy?"), etc.
--
Randell Jesup, Mozilla Corp
remove ".news" for personal email
ive, though it's equivalent to what
users grant Skype or WebEx or Hangouts already by installing them
(perhaps less, actually).
--
Randell Jesup
randell-i...@jesup.org
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
in conversation:
>
>1. There is a regulatory frame around E-911 that we need to understand.
> Do we need to indicate, through the API, that a device can be used
> for 911 calls but not other calls?
And don't forget that the regulatory issues are quite different from
country to countr
ss-origin controls) are detailed in my slides here:
http://www.ietf.org/proceedings/interim/2012/01/31/rtcweb/slides/rtcweb-2.pdf
My apologies for complicating the issue, but we need the solution for
image/video capture to not box in the design for WebRTC.
--
Randell Jesup, Mozilla Corp
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
e time to
read it, or to consider, or to see if they should trust (check online
resources about "is this app trustworthy?"), etc.
--
Randell Jesup, Mozilla Corp
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
14 matches
Mail list logo
