Google and Mozilla told to limit browser's ability to watch users
Browser makers need to make it clearer to users when web sites and apps are watching and listening to them, European security researchers have warned.
At present Chrome and Firefox rely on "coarse permissions" when granting sites access to users' camera and microphones for communications via WebRTC, said researchers from EU-funded group Strews.
"The browsers only provide coarse permissions, but ask for them at the start of a specific application, which may lead the user to believe he has given a specific permission, when in fact he has given a wide-ranging permission," they write in the report.
"The permissions are for a server, so if the same server offers another, malicious application and the user can be tricked into opening it, it will have access to the camera and microphone automatically."
WebRTC allows video chat to be built into web sites and apps without using plug-ins and analyst house Gartner predicts it will "significantly disrupt" the voice services market in the coming years.
Sites and applications using WebRTC will retain permission to access the microphone and camera until the browser is closed in Firefox and, if the page was served via HTTP, in Chrome - the report states.
The researchers fear the way these permissions are granted provides scope for a user to be monitored without their knowing, particularly on a tablet or phone where apps are running in the background.
"On a mobile device it may not be so clear when the browser is running or how to stop it. Thus the user may have stopped a web app (closed the window or swiped away the "card"), but the browser may actually still be running and the permission is still in force," the report states.
Chrome will grant permanent permission to sites and apps to access the mic and camera if the web page was served over HTTPS, a prospect that again concerns the researchers.
"In the case of Chrome, the permissions are permanent (if the application is downloaded over an HTTPS link) and thus are still in force when the user comes back later to use the application again. The application might have evolved into something the user doesn't like, or the domain name may have changed hands and the application replaced by a very different one."
The report also highlights the benefits of WebRTC for those concerned about what it calls "pervasive monitoring", in that it allows for direct communications between browsers and these communications are encrypted by default, via Datagram Transport Layer Security (DTLS).
However, it feels the permissions model in Chrome and Firefox are permissive enough as to be open to abuse.
"If...you are more concerned with individuals having freedom from pervasive monitoring then you might be concerned about WebRTC as it will mean that browsers by default will include the capability to listen and watch users, and a permissions model that is very likely to not be understood by many users," it states.
"In addition, WebRTC media, though protected via DTLS will often not be sent between two browsers only but between a browser and one or more servers, at which servers all the usual LI (Legal Intercept) taps can be implemented."
Also, while WebRTC is designed to allow for direct browser-to-browser communication, which browser the user's video and audio will be sent to is determined server-side.
Native support for WebRTC is not yet available in Internet Explorer or Safari browsers.
Mozilla challenged the conclusions of the report, describing its assessment of how Firefox handles WebRTC as inaccurate. However, it did not specify the points with which it disagreed.
Maire Reavy, engineering manager at Mozilla, said: "We have contacted the authors and hope that they will issue an updated version of the paper soon."
Google was not available for comment.