[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Public WebGL] about the VENDOR, RENDERER, and VERSION strings
On Mon, Nov 29, 2010 at 9:26 AM, Thatcher Ulrich <email@example.com>
> ----- Original Message -----Yeah, I think this comes down to balancing a small amount of
>> Is there really any significant benefit in hiding the true
> It's a matter of taste or a political question, but some people do care about anonymity and/or privacy and will frown if WebGL does poorly in this respect.
information disclosure, vs. the benefit of apps having access to that
Unfortunately, that small amount of additional information could be enough for a larger-scale targeted attack. As it was recently pointed out to me by a security engineer, large corporations (which tend to make good targets) typically deploy very uniform hardware inside their private networks (same GPUs and driver versions). If a vulnerability is discovered and the underlying hardware could be sniffed, you're opening up a sizeable security hole in an attractive target.
I do share the desire to be able to adjust WebGL content based on the hardware capabilities but I think security implications need to take priority, at least at this early stage.
For example, webgl-bench outputs the following (from page at
userAgent = Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US)
AppleWebKit/534.8 (KHTML, like Gecko) Chrome/7.0.526.0 Safari/534.8
gl.VERSION = OpenGL ES 2.0 Chromium
gl.VENDOR = NVIDIA Corporation
gl.RENDERER = NVIDIA GeForce GT 330M OpenGL Engine
gl.SHADING_LANGUAGE_VERSION = OpenGL ES GLSL ES 1.0 Chromium
The userAgent contains my PC's OS + version and browser version, while
gl.RENDERER gives the make and model of my video card.
So the gl.RENDERER does reveal slightly more about me than just the
userAgent. Personally it does not seem like a problem to me (it seems
like there are much more effective ways for web pages to identify me)
but this is not my area of expertise.
The info will be absolutely invaluable to some webgl apps (probably
the more elaborate ones). I liken it to userAgent -- in an ideal
world, nobody would ever need to sniff userAgent, but in the real
world it is sometimes crucial. For 3D, the variability of hardware
speed is large, even assuming perfect feature parity.
You are currently subscribed to firstname.lastname@example.org
To unsubscribe, send an email to email@example.com
the following command in the body of your email: