Re: WebAPI Security Discussion: Web Bluetooth API

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: WebAPI Security Discussion: Web Bluetooth API

Paul Theriault
Final call for comments on this API. Please reply to [hidden email] before COB Jun 4.



On Thursday, 10 May 2012 04:31:31 UTC+10, Lucas Adamski  wrote:

> Please reply-to [hidden email]
>
> Name of API: Web Bluetooth API
> Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=674737
> https://wiki.mozilla.org/WebAPI/WebBluetooth
>
> Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and  communicate with Bluetooth devices.  This includes setting properties on  adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.
>
> General Use Cases:
>
> Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state
>
> Threat severity: high
>
> == Regular web content (unauthenticated) ==
> Use cases: None
> Authorization model for normal content: None
> Authorization model for installed content: None
> Potential mitigations:
>
> == Trusted (authenticated by publisher) ==
> Use  cases: None
> Authorization model: None
> Potential mitigations:
>
> == Certified (vouched for by trusted 3rd party) ==
> Use cases:
> Read bluetooth adapter state
> Start/Stop device discovery
> List discoverd devices
> Pair with device
> Authorization model: Implicit
> Potential mitigations:  Status indicator showing active bluetooth connection, user can click the  status indicator to cancel the connection.  Any limit on types of devices?
>
> Notes: Non-certified use cases are out of scope for 1.0.  We will consider those for a subsequent release.

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security