[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] about the VENDOR, RENDERER, and VERSION strings



On Mon, Nov 29, 2010 at 4:53 PM, Steve Baker <steve@sjbaker.org> wrote:
> Is there really any significant benefit in hiding the true information?
>
> For application authors, there is immense value to be had from being
> able to determine which card and drivers the user has - both at run time
> (so the application can work around bugs) and in order to provide more
> accurate feedback when someone emails you to say "I just get a blank
> screen" - and then has no clue as to what card and driver they really
> have...making any chance of diagnosis almost zero.

+1

I have been contemplating expanding the webgl-bench project so that it
can aggregate some statistics on the performance of different graphics
features on different user agents and renderers, for use by authors of
WebGL apps.  This will be a lot more useful if the VERSION and
RENDERER strings return actual information.

-T

>
> Unless there is some really significant security issue to be concerned
> about here - I think we're hiding something exceedingly useful for
> little gain.
>
> For example: I'd like to use this in situations such as when I wanted to
> use a vertex shader texture and the underlying driver said it supported
> it, when in fact it did so by doing a total fallback to vertex shading
> (getting me ~1Hz frame rates and making it much, MUCH worse than
> useless!).  Certainly, we could hope that such situations should never
> arise - or that we should treat them as driver bugs - but as a practical
> matter, developers need all the help they can get and these strings are
> really useful back-stops.
>
>  -- Steve
>
> On 11/29/2010 09:07 AM, Benoit Jacob wrote:
>> Hi,
>>
>> (just comments, you can skip reading if your time is precious)
>>
>> In Mozilla's implementation, we decided to just return "Mozilla" for the VENDOR and RENDERER strings. For the VERSION strings, we only put the text required by the WebGL spec. Unfortunately I *guess* that a motivated attacker could still probably get much of that information by examining the result of WebGL rendering.
>>
>> I'm just interesting in your thoughts if you have any on the subject, especially if you think that there's anything more that can be done to prevent graphics card identification.
>>
>> My main concern about graphics card / driver identification is that it gives away many bits of user-identifying info, partly disabling anonymity. I'm not so much concerned about targeted attacks on drivers, as an attacker could just blindly try a set of common attacks anyway.
>>
>> Cheers,
>> Benoit
>> -----------------------------------------------------------
>> You are currently subscribed to public_webgl@khronos.org.
>> To unsubscribe, send an email to majordomo@khronos.org with
>> the following command in the body of your email:
>>
>>
>
> -----------------------------------------------------------
> You are currently subscribed to public_webgl@khronos.org.
> To unsubscribe, send an email to majordomo@khronos.org with
> the following command in the body of your email:
>
>

-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email: