[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Public WebGL] about the VENDOR, RENDERER, and VERSION strings
- To: Benoit Jacob <email@example.com>
- Subject: Re: [Public WebGL] about the VENDOR, RENDERER, and VERSION strings
- From: Steve Baker <firstname.lastname@example.org>
- Date: Mon, 29 Nov 2010 09:53:14 -0600
- Cc: public webgl <email@example.com>
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=sjbaker.org; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sjbaker.org; bh=JeS93 uXOTNF55+R/5P5uuxy3XGY=; b=Zuh8BG1xKy8AmP8MB4WRd1WhKs0FlW4pwfmWB isLXQg1PeLF37DAWa/OxmuMhPH9At/OOJkxVGhiAZgIIUeKNib5fgDTRF5FEUimd PLIEL1Zrk08d7dsfLiSy7ykVvVf0ysPfsE8K73qM5q4/pxAzeDtVcvePwZR+bkfk Kw8HRo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=sjbaker.org; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sjbaker.org; b=IjSGcPbHwuSvF8k2gMwn/ucQm9InL41pTmaMUQAzvJA5gUXdy/XG+qs+I3afI zU9mwwkH2bY4zhJngy2xkoaDZBgN676P6j/JTksNzCdmEJ312NpGMrju3xc2HI/9 kXh878lK9rgTfD5pyhfp8KB1mTasjVgPs479A9K7fEFAac=
- In-reply-to: <699568780.434977.1291043271144.JavaMail.firstname.lastname@example.org>
- List-id: Public WebGL Mailing List <public_webgl.khronos.org>
- References: <699568780.434977.1291043271144.JavaMail.email@example.com>
- Sender: firstname.lastname@example.org
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:188.8.131.52) Gecko/20100520 SUSE/3.0.5 Thunderbird/3.0.5
Is there really any significant benefit in hiding the true information?
For application authors, there is immense value to be had from being
able to determine which card and drivers the user has - both at run time
(so the application can work around bugs) and in order to provide more
accurate feedback when someone emails you to say "I just get a blank
screen" - and then has no clue as to what card and driver they really
have...making any chance of diagnosis almost zero.
Unless there is some really significant security issue to be concerned
about here - I think we're hiding something exceedingly useful for
For example: I'd like to use this in situations such as when I wanted to
use a vertex shader texture and the underlying driver said it supported
it, when in fact it did so by doing a total fallback to vertex shading
(getting me ~1Hz frame rates and making it much, MUCH worse than
useless!). Certainly, we could hope that such situations should never
arise - or that we should treat them as driver bugs - but as a practical
matter, developers need all the help they can get and these strings are
really useful back-stops.
On 11/29/2010 09:07 AM, Benoit Jacob wrote:
> (just comments, you can skip reading if your time is precious)
> In Mozilla's implementation, we decided to just return "Mozilla" for the VENDOR and RENDERER strings. For the VERSION strings, we only put the text required by the WebGL spec. Unfortunately I *guess* that a motivated attacker could still probably get much of that information by examining the result of WebGL rendering.
> I'm just interesting in your thoughts if you have any on the subject, especially if you think that there's anything more that can be done to prevent graphics card identification.
> My main concern about graphics card / driver identification is that it gives away many bits of user-identifying info, partly disabling anonymity. I'm not so much concerned about targeted attacks on drivers, as an attacker could just blindly try a set of common attacks anyway.
> You are currently subscribed to email@example.com.
> To unsubscribe, send an email to firstname.lastname@example.org with
> the following command in the body of your email:
You are currently subscribed to email@example.com.
To unsubscribe, send an email to firstname.lastname@example.org with
the following command in the body of your email: