
Blink - Intent to deprecate: Insecure usage of powerful features - robin_reala
https://groups.google.com/a/chromium.org/d/msg/blink-dev/2LXKVWYkOus/gT-ZamfwAKsJ
======
thomasfoster96
Once Let's Ecrypt [0] launches, I suppose most web developers won't have any
more excuses not to use HTTPS. It'll be free, pretty easy and quick time wise,
plus it'll give you an SEO boost.

Browser vendors are certainly doing the right thing by making http be marked
as non-secure, and not implementing unencrypted http/2 and not allowing non-
HTTPS access to powerful api are completely reasonable steps to take.

[0] [https://letsencrypt.org](https://letsencrypt.org)

~~~
psykovsky
If everybody gets an SEO boost, there is no boost. :)

~~~
solaris999
If you want to be pessimistic about it, anyone who doesn't adopt will get an
SEO drop

------
bd
Uhm, I strongly disagree with making fullscreen https only feature.

For WebGL and WebVR community this would be a big step backwards, making
browser applications again second class citizen vs native apps.

And it's not like there aren't already strong enough protections in place. Try
for example visiting this mock attack site:

[http://feross.org/html5-fullscreen-api-
attack/](http://feross.org/html5-fullscreen-api-attack/)

In every browser I tried it was already obviously fake. It doesn't work
already with current security tech:

1) browsers ask for fullscreen permission (with big unmissable dialogs)

2) emulated fake layout is very different from real layout (missing all per-
user specific browser settings, e.g. bookmarks or extension buttons or any
theme customizations, also font rendering looks different)

3) emulated fake browser UI doesn't respond to interactions in the same way as
native UI

~~~
shangxiao
The point of that article was that people don't notice subtle changes,
especially when their not tech savvy/tired after a long day of work/whatever.
Also someone pointed out in the comments that some people tend to ignore
changes and click on whatever to get to their destination.

~~~
bd
Yes, that's true. But for people who don't notice changes there isn't much
help anyways.

Even much more primitive phishing will still work on them (just think about
those "you have virus / clean your computer" ads from past, with images
looking like Windows pop-ups, or remember how those "Nigerian prince" scams
intentionally use broken English to selectively address more gullible folks).

These new proposed security measures will not help those people much, they can
still be phished from within browser tab content rectangle.

Instead these changes will just basically kill whole class of web applications
for a benefit of small subset of population phishable enough with fullscreen
attacks but immune to content rectangle attacks.

\-----

BTW recent Lenovo Superfish fiasco has shown us that in fact you can't even
trust native browser security UI elements. Those real UI green locks on https
pages can be as misleading as those JS/HTML generated ones.

I would much more prefer browsers to secure me from known rogue certificates
attacks than from hypothetical hard-to-pull-off fullscreen phishing attacks.

------
jpgvm
Though only tangentially related I do wish EME had been properly shot in the
head.

It's just another Flash that hides behind being "html5" (as if they makes it
all ok). At the end of the day it's proprietary code executing on my machine
that I have little or no control over. It's not just a security risk, it's
also a stability concern and generally a terrible idea.

Copyright enforcement should be left to law, content companies shouldn't be
trying their hand at it. Who knows, maybe if their content didn't come wrapped
in utter crap people might actually part with money for it.

~~~
kevincennis
I view EME as sort of a necessary evil.

There was never any chance that large content companies were going to be okay
with serving unencrypted media over HTTP. So the choices were:

1\. No major film or television content on the web

2\. The survival of Flash/Silverlight

3\. EME

I'm not crazy about any of those choices, but #3 seems the most reasonable.

~~~
lambda
Between these options, 1 seems the most reasonable to me. I refuse to play
along with anyone who thinks that they need to hijack my computer in order to
sell me content. They want my money, they can sell me DRM free content.

~~~
spankalee
Then don't use EME, it's that simple.

------
Danilka
What is going to be the protocol for development environment? Should one deal
with ssl just to quickly test out the code?

What if a service streams video, which requires full screen feature? It takes
quite a bit more compute power to pack it into encrypted connection, and what
if the video is not of any value as a secure content. Why should people be
forced to encrypt and decrypt spending extra power (battery, in case of
portable devices) on it?

SSL does not guarantee the security de-facto. Also, there is plenty of
personal data that is being passed through a non-encrypted connection, which
is way more valuable. If this is an attempt to increase amount of secure
connections, it is a very inconvenient one. Why not keep giving bonus point
for using it (like SEO higher ranking) rather than making pure HTTP not
usable.

~~~
icebraining
_What if a service streams video, which requires full screen feature? It takes
quite a bit more compute power to pack it into encrypted connection, and what
if the video is not of any value as a secure content. Why should people be
forced to encrypt and decrypt spending extra power (battery, in case of
portable devices) on it?_

Because otherwise a MITM can abuse the fullscreen feature. SSL is a way of
ensuring content integrity, not just privacy.

I do think we should have a way of signing content without mandating
encryption for these use cases, but until we do, HTTPS is the only choice.

~~~
userbinator
_I do think we should have a way of signing content without mandating
encryption for these use cases_

SSL has it, it's just usually disabled by default - null encryption with non-
null MAC.

------
revelation
Bizarre. HTTPS isn't a guarantee that a site is not malicious. Its not like I
could go to a CA and ask them who they signed that cert for and take on any
kind of legal responsiveness. Such is the state of the CA system that they
will give a cert to anyone with access to a domains MX and some bitcoins.

Instead of this, maybe require there's a user mouse event on the call stack
for things like fullscreen.

~~~
air
The intent is to prevent man in the middle -attackers from getting access to
those features.

~~~
arcatek
Why would they need the fullscreen access? I could see the interest for
cookies or local storage, but fullscreen?

~~~
carbocation
So they can pretend to be your entire browser.

------
silon3
Is [http://localhost](http://localhost) / 127.0.0.1 considered secure?

~~~
thomasfoster96
From what I can gather, yes to the former, probably to the latter.

------
hayksaakian
I wonder how many "internet of things" things will stop working due to these
changes.

~~~
sleepychu
Aren't IOT typically servers not clients? I can't imagine their pages require
access to powerful APIs.

~~~
revelation
The word has been mangled to the point of no recognition, but for low power
applications you would want the IOT device to be a client pushing when changes
occur.

------
jbb555
Basically they are destroying the simplicity of the internet in order to push
their own agenda. I'd get annoyed about it, but it's not going to be long
before it all collapses under it's own weight and something new and
lightweight turns up to take over from what http used to be good for.

~~~
fpgeek
Did you even look at the kinds of attacks that motivate these restrictions
before concluding that there was a nefarious agenda at work?

I took a look at a Fullscreen API attack (
[http://feross.org/html5-fullscreen-api-
attack/](http://feross.org/html5-fullscreen-api-attack/) ) and found it pretty
creepy even though I knew exactly what to expect and what to look for. Tighter
controls over that sort of thing seem like a great idea to me.

~~~
ldng
Maybe I'm dense but I don't see how requiring HTTPS would solve phishing
attacks. To me it falls in the social engineering realm, people clicking link
in their mail thay really should not. Having an extra 's' in the URL will not
change that. Am I missing the point ?

~~~
organsnyder
Here's the scenario they're trying to prevent:

1\. Bob often views videos on YouTube, so he grants youtube.com permanent
access to the fullscreen API.

2\. Eve runs an open wifi AP near a coffee shop. The AP includes a proxy
server that redirects youtube.com requests to Eve's own server.

3\. Bob connects to Eve's AP. When he goes to youtube.com, he instead gets a
response from Eve's server, which is designed to imitate a full desktop
environment. Since Bob has already given youtube.com access to the fullscreen
API, the browser grants Eve's site fullscreen rights without notifying Bob.

~~~
ldng
Ok. Here I can see the problem. That said, does this happens really that much
? Shouldn't we educate on open wifi instead ?

My point is HTTPS has a cost and is a barrier of entry, the trade off isn't
always worth it, IMHO.

~~~
icebraining
Open Wifi is not necessarily the problem. An AP with a shared password (99% of
them) is also vulnerable, if the attacker also has a password. It's not
reasonable to expect people to never use YouTube on public WiFi hotspots.

And the cost of HTTPS is pretty low nowadays. Cloudflare even offers it on
their free plan, and it doesn't require you to set it up on your own server.

~~~
ldng
Do you really need to secure Youtube viewing on a public WiFi hotspots ?
Unless you want to sell DRM movies, I don't see the need for HTTPS here.
Unless you want privacy on a public network. But we're not talking about
security anymore.

So you're suggesting trading a potential MitM but an official Cloudflare MitM
? :)

It is not only about a money cost, it is also about a complexity cost and
false sense of security. HTTPS is not the be-all and the end-all of security.
Just a step to security, if/when you need it.

I'm not arguing HTTPS is not needed. I'm the first to push for when needed.
But it is not needed for watching cat videos, sorry.

~~~
nknighthb
> _Do you really need to secure Youtube viewing on a public WiFi hotspots ?_

This suggests you did not, in fact, see the problem. The attacker in this
scenario is not limited to replacing YouTube videos. They can make _anything
they want_ appear on the user's screen, including things like a Google login
page, or even a bank login page.

~~~
ldng
You're probably right, I am not a security expert and might not be seeing the
whole picture. You log into your bank website connected to an open WiFi
hotspot ? I never would do that. I think there is a point where you have to
apply common sense.

I do not care about the downvote, my opinion is what it is and I maintain my
position. As I see it (me not been a field expert), HTTPS Everywhere will not
save the world. You will still have people connecting to the wrongly spelled
site (HTTPS or not). Some will even have a false sense of security which would
be counter-productive.

I access my through HTTPS explicitly typing the URL. My bank ask confirmation
out of band for every dangerous action (by SMS). IMHO, one should be educated
to take necessary precautions. In Europe, banks have to cover frauds, the
positive side effect is that some banks started to educated user on security
(it's cheaper !). I don't know how it is in the rest of the world.

Just to be clear, I am not against HTTPS where it makes sense. I am against
HTTPS everywhere as the only security measure. Because, that's what it will
come to, "We have HTTPS so we're good, security checkbox ticked". That is not,
IMHO, not a good way of thinking about security.

I guess my point is HTTPS everywhere is not the solution and should
rather/also educated better/more on the risks of Internet.

That said, I wouldn't mind being pointed at a screencast/viedo (on youtube
;-)) showing how the scenario you refer to would unfold.

~~~
nknighthb
> _You log into your bank website connected to an open WiFi hotspot ? I never
> would do that._

Many people do that, and it's quite safe to do so with a modern browser. Were
it not, it would not be safe to do so in _any_ context, because man-in-the-
middle attacks are possible on any connection, just extra easy on wifi.

> _I think there is a point where you have to apply common sense._

As you are demonstrating quite well here, "common" sense is not good sense. It
is stopping you from doing things which are safe, and making you advocate for
things which are unsafe.

> _I access my through HTTPS explicitly typing the URL._

You would be typing the URL into the equivalent of a remote desktop session.
That is what you're not understanding.

> _My bank ask confirmation out of band for every dangerous action (by SMS)._

1) Most banks do not do that.

2) SMS is not a secure channel.

3) Banks are not the only target (again, google/gmail accounts are another
good example).

4) Even if they could not transfer funds, they would now have a great deal of
information about your finances right on their screen.

> _In Europe, banks have to cover frauds_

They mostly do in the US, too. This makes consumers less likely to care about
security.

> _I am against HTTPS everywhere as the only security measure._

No one has advocated that. If you think they have, you have become very
confused.

~~~
ldng
> As you are demonstrating quite well here, "common" sense is not good sense.
> It is stopping you from doing things which are safe, and making you advocate
> for things which are unsafe.

Now you're misrepresenting what I'm saying. I'm not saying to not use HTTPS
when it is needed. I am saying it is not enough. That you argue that HTTPS is
mandatory because you want to do your banking on open wifi hotspot baffles me.
You should not be doing banking on open WiFi hotspot. PERIOD. I also say
putting HTTPS everywhere does not help as much as you think. I am _not_ saying
HTTPS is a bad thing. HTTPS is not a substitute for caution.

> You would be typing the URL into the equivalent of a remote desktop session.
> That is what you're not understanding.

For that to happen the phishing server would have to draw a browser shell (ok,
feasable), my list of tabs (still doable) and my "OS" taskbar/menubar, that,
is not possible today. I would even argue it would be harder to mimic the
'outsides' of the browser then to present a fake a website. Website change all
the time and people don't pay as much attention. Robbers prefer easy targets.

I'm not saying there are not such phising sites but I have yet to see one
crafted with such attention to detail (which I think is not possible anyway).
Most of those I have seen are not very elaborated. And it does not matter.
They feel/look secure enough. HTTPS or not.

>> My bank ask confirmation out of band for every dangerous action (by SMS).

> 1) Most banks do not do that.

> 2) SMS is not a secure channel.

SMS is not a secured channel. True. But it is a _different_ channel and that
is the point. Most bank dont do that but they should.

> 3) Banks are not the only target (again, google/gmail accounts are another
> good example).

Yes, and not connecting to those site on an open WiFi hotspot is still a good
practice. Again, HTTPS or not.

~~~
nknighthb
> _and my "OS" taskbar/menubar, that, is not possible today_

Please articulate why you do not believe that is possible.

> _Yes, and not connecting to those site on an open WiFi hotspot is still a
> good practice. Again, HTTPS or not._

Please articulate why you believe that is good practice.

Don't say "common sense". State the underlying basis of your belief.

And finally, please explain why, even if everything you believe is accurate,
it is somehow a negative thing to prevent attacks from being carried out on
users who do not share your beliefs and paranoia. Social darwinism?

Actually, one more: Even if no one did any of these things on open wifi, they
would still be vulnerable to these attacks, since every internet connection is
vulnerable, so please explain why protecting people who do share your beliefs
is a bad idea.

Nope, still got another: I travel for work with some frequency, including
internationally. When doing so, frequently my _only available option_ is open
wifi. Please explain why my livelihood should be destroyed because you, an
admitted non-expert, believe using open wifi is a bad idea?

Oh, hey, yet another: Please explain why, even if doing these things were
unsafe now, you oppose efforts to make them safe!

