[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] about the VENDOR, RENDERER, and VERSION strings



Is there really any significant benefit in hiding the true information?

For application authors, there is immense value to be had from being
able to determine which card and drivers the user has - both at run time
(so the application can work around bugs) and in order to provide more
accurate feedback when someone emails you to say "I just get a blank
screen" - and then has no clue as to what card and driver they really
have...making any chance of diagnosis almost zero.

Unless there is some really significant security issue to be concerned
about here - I think we're hiding something exceedingly useful for
little gain.

For example: I'd like to use this in situations such as when I wanted to
use a vertex shader texture and the underlying driver said it supported
it, when in fact it did so by doing a total fallback to vertex shading
(getting me ~1Hz frame rates and making it much, MUCH worse than
useless!).  Certainly, we could hope that such situations should never
arise - or that we should treat them as driver bugs - but as a practical
matter, developers need all the help they can get and these strings are
really useful back-stops.

  -- Steve

On 11/29/2010 09:07 AM, Benoit Jacob wrote:
> Hi,
>
> (just comments, you can skip reading if your time is precious)
>
> In Mozilla's implementation, we decided to just return "Mozilla" for the VENDOR and RENDERER strings. For the VERSION strings, we only put the text required by the WebGL spec. Unfortunately I *guess* that a motivated attacker could still probably get much of that information by examining the result of WebGL rendering.
>
> I'm just interesting in your thoughts if you have any on the subject, especially if you think that there's anything more that can be done to prevent graphics card identification.
>
> My main concern about graphics card / driver identification is that it gives away many bits of user-identifying info, partly disabling anonymity. I'm not so much concerned about targeted attacks on drivers, as an attacker could just blindly try a set of common attacks anyway.
>
> Cheers,
> Benoit
> -----------------------------------------------------------
> You are currently subscribed to public_webgl@khronos.org.
> To unsubscribe, send an email to majordomo@khronos.org with
> the following command in the body of your email:
>
>   

-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email: