Re: WebAPI Security Discussion: Web Bluetooth API

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: WebAPI Security Discussion: Web Bluetooth API

Paul Theriault
Final call for comments on this API. Please reply to [hidden email] before COB Jun 4.

On Thursday, 10 May 2012 04:31:31 UTC+10, Lucas Adamski  wrote:

> Please reply-to [hidden email]
> Name of API: Web Bluetooth API
> Reference:
> Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and  communicate with Bluetooth devices.  This includes setting properties on  adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.
> General Use Cases:
> Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state
> Threat severity: high
> == Regular web content (unauthenticated) ==
> Use cases: None
> Authorization model for normal content: None
> Authorization model for installed content: None
> Potential mitigations:
> == Trusted (authenticated by publisher) ==
> Use  cases: None
> Authorization model: None
> Potential mitigations:
> == Certified (vouched for by trusted 3rd party) ==
> Use cases:
> Read bluetooth adapter state
> Start/Stop device discovery
> List discoverd devices
> Pair with device
> Authorization model: Implicit
> Potential mitigations:  Status indicator showing active bluetooth connection, user can click the  status indicator to cancel the connection.  Any limit on types of devices?
> Notes: Non-certified use cases are out of scope for 1.0.  We will consider those for a subsequent release.

dev-security mailing list
[hidden email]