
Camera and microphone require HTTPS in Firefox 68 - johnnyRose
https://blog.mozilla.org/webrtc/camera-microphone-require-https-in-firefox-68/
======
petters
It will still work on localhost, which is nice. It would be nice if it also
worked on local IPs, like 192.168. _._. Those do not work on Chrome, I think,
which make mobile testing a bit more cumbersome.

~~~
varenc
For local development, Chrome has a flag that lets you force specific origins
to be treated as secure:

    
    
      chrome://flags/#unsafely-treat-insecure-origin-as-secure
    

I don't think Firefox has anything equivalent though? This bug on the topic is
unassigned:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1410365](https://bugzilla.mozilla.org/show_bug.cgi?id=1410365)

~~~
aaronharnly
Interesting! Though I find that behaves rather strangely – seems to clear
itself on every launch.

~~~
varenc
Yea that's annoying, but I believe that's intentional... you can pass that
flag in as an arg when you launch chrome though so you don't have to set it up
each time.

------
vinay_ys
In general, I'm NOT happy with how camera/microphone, GPS and sensors like
Gyro/accel/magnetometers and beacons (radio/wifi/bluetooth/nfc), screen
size/resolution, battery level, hardware port identifiers etc are accessed by
any website or app on my laptop/phone.

This developed over the years without any input or choice from the end-user.
The device manufacturers, platform owners (Apple, Google, Microsoft, Mozilla)
and app developers joined together and forced this surveillance aparatus on
all end-users.

This power balance has to change.

~~~
chii
There's no problem with having the capability in a web app. It's only a
problem if those capabilities are not consented to b the user first.

~~~
vinay_ys
There is definitely no problem in having the capabilities in the hardware. But
appropriate assured controls should have been built and provided to the end-
user. The challenge is these controls are not in hardware-switch-esque form.
They are left to the whims and fancies of individual apps. That blame goes to
platforms.

------
asark
Dear Apple: for Christmas I'd like physical, no-bullshit power shutoff
switches for your camera and microphone on the Macbook Pro. Other devices
too—if you can manage it, that'd be great. Sincerely, the people who put tape
over their cameras, the people who don't because it's ugly and messes with
closing the lid but wish they could, and the people who would be in one of
those two camps if they understood the risk (so, altogether, 100% of your
users).

~~~
asdfasgasdgasdg
I think I understand the risk, and I definitely would not bother with such a
switch even were it available. So maybe I actually don't understand it.

What exactly _is_ the risk? Have there been any _actual_ cases of someone
being spied on with their laptop webcam that would have been prevented by a
switch? I'm only aware of cases where the webcam switch would not have helped
(e.g. roommate sets up notebook to record owner naked). Even that is
incredibly rare, or if not rare, almost never reported.

~~~
packet_nerd
A quick search seems to turn up quite a few examples of webcam spying. I'd
love to see actual numbers, but it doesn't seem to be "incredibly rare".

[https://www.dailymail.co.uk/sciencetech/article-5228017/Hack...](https://www.dailymail.co.uk/sciencetech/article-5228017/Hackers-
using-webcams-turn-people-slaves.html)

[https://www.dailymail.co.uk/news/article-2638874/More-90-peo...](https://www.dailymail.co.uk/news/article-2638874/More-90-people-
nabbed-creepware-hacker-sting-victim-Miss-Teen-USA-describes-terror-watched-
webcam-YEAR.html)

[https://globalnews.ca/news/2158281/what-you-need-to-know-
abo...](https://globalnews.ca/news/2158281/what-you-need-to-know-about-webcam-
hacking-and-how-to-prevent-it/)

[https://www.telegraph.co.uk/technology/news/10131456/Hackers...](https://www.telegraph.co.uk/technology/news/10131456/Hackers-
using-webcams-to-spy-on-women-in-their-homes.html)

This site claims a guy made a business selling software to hack and remotely
control webcams, complete with paid employees and $350,000 in income:

[https://www.welivesecurity.com/2015/04/21/webcam-
hacking/](https://www.welivesecurity.com/2015/04/21/webcam-hacking/)

~~~
asdfasgasdgasdg
OK. That has caused me to update my beliefs. I still think that there is
relatively little risk -- like, you should be much more worried about being in
a car accident -- but I no longer think it's on par with being struck by
lightning.

~~~
outworlder
Why would this be of little risk? The good thing about software is that it is
automatable. That's also the bad thing.

Create a malware (which due to some big company fuckups can be even embedded
in a webpage these days). Capture frames indiscriminately. Add some image
recognition algorithms (from OCR to machine learning, depending on what you
want to do) to flag interesting hits.

Voila. Massive dragnet. Applications can range from simple blackmail (a-la
Black Mirror) to industrial espionage.

~~~
asdfasgasdgasdg
I'm not saying I can't picture it. Just saying it doesn't seem likely to
happen on a large scale basis.

~~~
packet_nerd
I get what your saying, that the personal risk is low, especially compared
with say driving or heart disease. Heck, I'm a middle aged heavy guy and
couldn't care less who sees my nudes.

But, I believe we (as technologists) have a responsibility to use and push for
strong security practices. I don't want my kids to grow up in a world where
creeps blackmailing them through their webcams is a possibility, or where a
rogue politician has all the tools of absolute authoritarianism already set up
and waiting for him.

A camera cover is a huge win. It's super easy and cheap (a piece of plastic),
it's easy to understand (entirely mechanical), it works 100% when used, and
it's failure modes are obvious. Not all security controls are cheap, easy, and
100% effective, but this one is. And if you don't bother to use it in your
bedroom, then that's fine, but every webcam should have one.

------
marknadal
This sucks, my community[1] has a local offline-first video/audio call app
that we run on a physical mesh network.

This will make it impossible for people to talk to each other, without first
needing to be connected online to some certificate authority, or without some
extraordinarily difficult pre-installation process, which is often not even
possible on a phone.

HTTPS was important, but now its being used to shoe horn dependency on
centralized online-only authority. Perfectly ripe to censor anyone.

1\. [https://gitter.im/amark/gun](https://gitter.im/amark/gun)

~~~
comex
A browser doesn't need to connect to the certificate authority to validate a
cert; only the server hosting the app 'needs' to be online (at least long
enough to obtain a signed certificate every so often).

The bigger problem is that there has to be a single server hosting the app in
the first place, which IMO is a severe flaw in the Web's architecture. But
this change doesn't really make the situation worse.

~~~
marknadal
Subnet IPs are always different tho. Can I really get a cert for all subnet
addresses? That'd be awesome! Please please educate me.

I want to be clear though, I need it so that the user doesn't have to install
the cert themselves, or have to be online to approve.

Previously, a user would connect to the local wireless network, then the
router would open them up to a directory listing of the local apps available
on the network (like the video/audio call), they click the link (just points
to the dynamic subnet IP of a static file server) to load the offline HTML
page which then connects to call anyone in the network, including users on
neighbor and neighbor-of-neighbors routers.

Basically our own decentralized telecom!

~~~
shkkmo
I'm not familiar with this exact setup, but I am assuming you have full
control over the router software, but want to limit any installation or
configuration of either the browser's computer or the local network
fileservers.

> Subnet IPs are always different tho. Can I really get a cert for all subnet
> addresses?

SSL certs don't usually have anything to do with the IP address, that is
usually handled by the hosts file / DNS entries.

There is no reason the non-profit can't get a domain and a free SSL cert and
distribute that cert and it's private key with the router software as a
default while allowing admins to install/configure their own domain and SSL
cert.

The router can then MITM all requests to that domain using a SSL termination
proxy for the file server.

~~~
marknadal
Correct.

Probably can even configure local network file servers, but better if not.

If we don't ever need to use domains in the mesh (we have a separate directory
/ search system).

Wait, I only have to have the certs locally (offline) on the routers?

Ahh, hmm, cause you're saying I could MITM it. But Browsers (especially on
mobile) all usually freak out when they go to
`[https://subnetIPaddress`](https://subnetIPaddress`) saying "your connection
is not private" "back to safety" every single time, with freakishly small
"prcooed anyways" links on mobile. Either way, mobile or not, this warning
totally just trashes the experience. How do I fix that?

Or you're saying they still type in the domain? But doesn't that require
existing internet to then go through? Or you're saying, router still MITM
that, but happens to have matching private key, so then it is able to locally
(offline) proxy the traffic into the mesh? Hmmmmmmmmmmm!!!! This might be very
helpful. Sucks we still have to buy certs to run our own offline system - who
has the longest certs? (Let's Encrypt is like only 3 months?)

Super thanks to everyone for helping us!

~~~
rswail
You won't have to buy certs from LetsEncrypt, they're provided free. So you'd
have to have an external DNS that allows you to provision DNS records for
mymesh.example.com and request a wildcard certificate for that domain.

The script is automated and will ensure that the certificate is always up to
date.

Inside the mesh you would need:

* Have an internal DNS that resolves myserver.mymesh.example.com to an internal IP address

* Distribute the private key and certificate to the internal servers of your mesh.

* Have the browsers/clients of your mesh use the DNS names instead of raw IP addresses. So users would have to learn to go to [https://myserver.mymesh.example.com](https://myserver.mymesh.example.com) instead of [https://a.b.c.d](https://a.b.c.d)

What you will need to do is have an internal DNS server that resolves
"myserver.mymesh.example.com" to an internal IP address. The server would use
the *.mymesh.example.com private key and cert.

~~~
comex
To further clarify, running an internal DNS server doesn't require a MitM, as
the DNS server address for a network is generally supplied as part of DHCP.
(There is one reason you _might_ want to do a MitM, but I really don't
recommend it. Namely, some people change their settings to ignore the DHCP-
supplied DNS server and hardcode an address, e.g. 8.8.8.8, which they would
fail to reach if the network isn't connected to the Internet. In theory you
could work around the issue by redirecting such traffic to your own DNS
server.)

As for longest certs, the CA/Browser Forum Baseline Requirements (which all
CAs have to follow) specify a maximum validity period of 825 days, or a little
over 2 years. You should be able to find CAs offering certs with that period.
(Why such a specific number? I have no idea.)

~~~
shkkmo
It is true, instead of MITMing the HTTP request, you can MITM the DNS request.
The issue then is that you need to distribute and configure the private key
and certificate on all the static file servers rather than just on the router

------
anilakar
Does anyone still remember the times when MSIE actually warned you if you were
POSTing anything over an unencrypted connection?

~~~
d33
Yes and it basically showed how it doesn't work. Applications were designed
around the assumption that the user would click through the warnings. It looks
like Firefox and Chromium are doing far better by restricting features to SSL,
though I would be happier if they were also trying to push something more
resistant to nation-state abuse...

------
progval
This page's content is in a div named "mobile-pusher" with a _400px_ padding-
right, which then gets disabled when loading a JS script from a third-party
domain (ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com). wtf?

~~~
indalo
that's wpengine's cdn, most likely the host of the blog.

~~~
rolltiide
Its funny how everyone feels empowered to be a digital sleuth these days but
makes ridiculous conclusions with the same material everyone else has

~~~
Dylan16807
"wtf?" is not a ridiculous conclusion.

------
spaceribs
Love it, although I'm sure you can still send video/audio in non-encrypted
ways right?

------
Traubenfuchs
This is very annoying for development in my eyes.

What is the preferred way to include https in your development flow? Have an
nginx or apache running? What about automated tests against a running
application?

~~~
roblabla
localhost is considered "secure" and doesn't need https - this can be used by
most development and automated testing flows. For remote development, I tend
to setup a caddy server which makes it very easy to get an SSL certificate.

This is still mildly annoying.

------
jeffk_teh_haxor
What took them so long?

------
lightedman
They cant even get firefox to properly load (let alone let me pick) all 10 of
my webcams.

How about making that work, first?

------
user17843
Chrome has been doing it since around 2016, it seems.

------
idlewords
In Firefox 73, they'll require consent!

~~~
minitech
They already require consent. You probably know that. Not sure what the joke
is.

