Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
WebAPI Security Discussion: Web Bluetooth API
26 views
Skip to first unread message
Lucas Adamski
May 9, 2012, 2:31:31 PM5/9/12
to dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
Please reply-to dev-w...@lists.mozilla.org
Name of API: Web Bluetooth API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=674737
https://wiki.mozilla.org/WebAPI/WebBluetooth
Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices. This includes setting properties on adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.
General Use Cases:
Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state
Threat severity: high
== Regular web content (unauthenticated) ==
Use cases: None
Authorization model for normal content: None
Authorization model for installed content: None
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases: None
Authorization model: None
Potential mitigations:
== Certified (vouched for by trusted 3rd party) ==
Use cases:
Read bluetooth adapter state
Start/Stop device discovery
List discoverd devices
Pair with device
Authorization model: Implicit
Potential mitigations: Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection. Any limit on types of devices?
Notes: Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release.
Name of API: Web Bluetooth API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=674737
https://wiki.mozilla.org/WebAPI/WebBluetooth
Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices. This includes setting properties on adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.
General Use Cases:
Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state
Threat severity: high
== Regular web content (unauthenticated) ==
Use cases: None
Authorization model for normal content: None
Authorization model for installed content: None
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases: None
Authorization model: None
Potential mitigations:
== Certified (vouched for by trusted 3rd party) ==
Use cases:
Read bluetooth adapter state
Start/Stop device discovery
List discoverd devices
Pair with device
Authorization model: Implicit
Potential mitigations: Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection. Any limit on types of devices?
Notes: Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release.
pther...@mozilla.com
Jun 4, 2012, 1:40:37 AM6/4/12
to mozilla.d...@googlegroups.com, dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
pther...@mozilla.com
Jun 4, 2012, 1:40:37 AM6/4/12
to mozilla-d...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
Final call for comments on this API. Please reply to dev-w...@lists.mozilla.org before COB Jun 4.
On Thursday, 10 May 2012 04:31:31 UTC+10, Lucas Adamski wrote:
On Thursday, 10 May 2012 04:31:31 UTC+10, Lucas Adamski wrote:
0 new messages