Originally posted by erendorn
View Post
Announcement
Collapse
No announcement yet.
Cisco Open-Sources H.264 Codec, Pushes WebRTC
Collapse
X
-
Originally posted by curaga View PostFirefox sandboxes nothing. TFA is about Firefox. Therefore the codec does have access to everything you listed, it is a binary running with your user rights.
The fact is that we don't know what kind of access rights this codec will have, because it hasn't been added yet.
Comment
-
Originally posted by curaga View PostThe seccomp sandboxes require cooperation. It's entirely possible FF cannot sandbox the codec without a framework such as SELinux or Smack.
You're right that this is speculation. Still, it's such a big hole if it ends up working that way.
This just makes it an unpractical backdoor, and as such, an implausible one.
Comment
-
Originally posted by erendorn View PostSure, but the you don't need it to be sandboxed everywhere. You need it to be sandboxed/monitored at least once, and see it request at least once a resource that shouldn't be requested based on source, for the backdoor to be detected.
This just makes it an unpractical backdoor, and as such, an implausible one.
Any such backdoor will probably be masqueraded as a bug though.
Comment
-
Originally posted by uid313 View PostYou cannot monitor it for suspicious behavior when any backdoor may be activated by an unknown sequence that you do not know of.
Any such backdoor will probably be masqueraded as a bug though.
It still quite unpractical to only target users that have absolutely zero binary programs on their PC but this codec, that actually use this codec (you won't if you have hardware or OS support), that do not have sandboxing/monitoring capabilities, that can be determined separately that they don't have these capabilities, that use VOIP through the web and using this codec, and that communicate things worth listening to directly (not just for metadata) through it.
=> implausible.
Regarding it being masqueraded as a bug, I completely agree, yet they will still have to deactivate it after being caught.
Comment
Comment