Camera and microphone require HTTPS in Firefox 68 (opens in new tab)

(blog.mozilla.org)

648 pointsjohnnyRose6y ago197 comments

197 comments

It will still work on localhost, which is nice. It would be nice if it also worked on local IPs, like 192.168... Those do not work on Chrome, I think, which make mobile testing a bit more cumbersome.

hannob6y ago

> It would be nice if it also worked on local IPs, like 192.168...

That would defeat the security purpose.

Anyone within your local network (which practically speaking very often means the next Wifi your device could find) could attack you.

mort966y ago

But how do you do local development when you can't get an SSL cert for your dev machine's server? No, self signed certs don't always do what you need, especially on mobile where you can't just add your cert as a trusted cert easily.

duchenne6y ago

Wihtout using any third party service, you could use an SSH tunnel, with autossh for automatic reconnections.

    autossh -L 2080:localhost:80 192.198.1.14

And then, you'll be able to visit your dev website on http://localhost:2080

Firefox will believe that your service is local, and will allow the activation of the camera and the microphone even though you do not use https.

1 more reply

comex6y ago

If you own a domain, you can add a subdomain that points to the local network IP, and get Let's Encrypt to give you a certificate using the dns-01 validation method (which doesn't require Let's Encrypt to actually access the IP address in the A record).

This is clearly more complicated than ideal, but it should work.

Edit: You can also use a custom CA root certificate, which can be installed on iOS etc. mkcert is a good starting point:

https://github.com/FiloSottile/mkcert

2 more replies

jonas216y ago

Localtunnel? https://localtunnel.me/

viraptor6y ago

> especially on mobile where you can't just add your cert as a trusted cert easily

What do you mean? Do some Androids block it? Or iOS? I've got it easily available in settings.

zaarn6y ago

VSCode in recent versions has the Remote Workspace Function. It can forward ports if you press Ctrl-P and type "ssh forward", enter and the port number, enter again. You can setup the ssh-config for that workspace to also automatically forward ports.

michaelbrooks6y ago

Not sure if you've heard of NGrok, but this tunnels your server and can be accessed outside of your network with or without https.

https://ngrok.com/

shkkmo6y ago

Easy:

1) Get a signed certificate for a subdomain on a domain you own (e.g. dev.example.com)

2) Change your hosts file to point any local IP you wish, or setup a DNS entry for that subdomain that points to 127.0.0.1

yeukhon6y ago

I know localhost is supported by Lets Encrypt but not sure about local lan network. One possible workaround is ssh forwarding. Create a tunnel. But I have not tried it myself.

varenc6y ago

For local development, Chrome has a flag that lets you force specific origins to be treated as secure:

  chrome://flags/#unsafely-treat-insecure-origin-as-secure

I don't think Firefox has anything equivalent though? This bug on the topic is unassigned: https://bugzilla.mozilla.org/show_bug.cgi?id=1410365

aaronharnly6y ago

Interesting! Though I find that behaves rather strangely – seems to clear itself on every launch.

varenc6y ago

Yea that's annoying, but I believe that's intentional... you can pass that flag in as an arg when you launch chrome though so you don't have to set it up each time.

mort966y ago

I don't imagine that works on mobile chrome, which is what the parent comment was talking about.

_fzslm6y ago

It does, on Android.

1 more reply

wlesieutre6y ago

Mozilla’s previous blog post on the topic says

> Mozilla will provide developer tools to ease the transition to secure contexts and enable testing without an HTTPS server.

https://blog.mozilla.org/security/2018/01/15/secure-contexts...

But the bugzilla entry they linked to with that has been unassigned for two years, so maybe they changed their minds or figure the localhost exception is sufficient.

https://bugzilla.mozilla.org/show_bug.cgi?id=1410365

The last comment proposes a whitelist for development domains, but no response to it.

webstudio6y ago

for easy bypass this guard - ( for rapid development / testing ) - and dont have a localhost environment

ths helped me (with the 68.0 win edition):

about:config

set the

media.getusermedia.insecure.enabled

from false to true

wlesieutre6y ago

Good to know! I'm leaving it alone on my main FF installation, but I've set that in Developer Edition.

1 more reply

vortico6y ago

It's fantastic that it works with localhost (and I assume 127.0.0.1?), and it's fantastic that it doesn't work with anything else. This is the best middleground.

mort966y ago

When it doesn't work on anything other than localhost, you can't host a web server on your dev machine and test how it works on your phone. I've been through the hell of trying to test WebRTC applications on mobile Safari, and it's horrible.

Specifically, you need HTTPS for WebRTC, but you obviously have to use a self signed cert because local IP. You can ignore the cert error and load the page, but connecting to the websocket for signaling will still fail because websocket on iOS requires a non-self-signed cert.

Non-HTTPS websocket would work, but not from a HTTPS host. So you're in a situation where you need HTTPS due to WebRTC, but you can't use HTTPS due to websockets.

In trying to push people to HTTPS by disabling features on HTTP, we're making development a _much_ worse experience. I'm not sure that's right.

Mister_Snuggles6y ago

You can probably just create your own root CA and install it on your mobile device for testing. I've done this for my internal stuff at home and it works well.

I use xca[0] to create/manage the root CA and the certificates, but there are other tools to do this.

[0] https://hohnstaedt.de/xca/

shkkmo6y ago

> you obviously have to use a self signed cert because local IP

Not true at all, SSL certs have nothing to do with IP of the servers that use them, the servers just have to have the correct private key for that cert.

You can make any domain point to local IPs by using the hosts file or even editing DNS directly.

vortico6y ago

I see your point about mobile testing. (I don't do mobile work, so I didn't think of it.)

maxk426y ago

Would be better if it also supported a new warning / permission to request insecure camera access.

tialaramex6y ago

Too confusing. There is already a permission prompt for camera access, so now there'd be two prompts, or it's still one prompt but the text is different in either case, which users can't be expected to understand.

You can go into about:config and explicitly undo this setting if you're in some weird dev corner case where it's a problem, but you should definitely put "Stop doing AV stuff in an insecure context" near the top of your TODO list.

iwalton36y ago

I wrote a script a while ago that automatically creates a subdomain on a domain I own and registers a Let’s Encrypt certificate for this exact purpose. I’ve found it very useful as it will work even for local addresses and dynamic addresses. (It will update the dns record and renew the cert on futher invocations.)

I do wish there was a public solution offering this type of easy dynamic DNS with https. (Sharing the script I wrote could cost a lot on dns hosting and increased server expenses.)

nhumrich6y ago

You could add a tunnel via iptables to just route one port on localhost to another ip

klodolph6y ago

iptables on your phone? I think you would need to root your phone, if it's Android.

numtel6y ago

No need to root, with android in developer mode, run this to forward localhost:3000 to the same port on the phone.

> adb reverse tcp:3000 tcp:3000

lucb1e6y ago

I think it's not unreasonable for a techie to be the admin of their own phone. (I still don't get how this is an unpopular opinion.)

5 more replies

Groxx6y ago

Probably possible with a local VPN on android? I believe those can do anything they please.

k_bx6y ago

Is generating localhost certs and then accepting them in your browser once is that hard?

openssl genrsa -out key.pem 2048

openssl req -new -key key.pem -out certificate.csr

openssl x509 -req -in certificate.csr -signkey key.pem -out certificate.pem

baq6y ago

if all development servers for all frameworks just did that on first run of a project it'd be so much easier.

k_bx6y ago

I just stopped using languages that require a "framework" or "development server" with monster json/yaml configurations to run a web server. In Haskell, a change from http to https is switching from warp.run to warp-tls.runTLS function (with certificate paths set).

mercora6y ago

in order to replicate or simulate a production environment i sometimes do something like this:

ip route add local 192.0.2.123/32 table local dev lo

which makes your system act like this is a local address without actually being one.

EDIT: nvm i just realized that wont solve your issues with mobile development...

peterlk6y ago

To any browser developers out there, I beg you, please, please, please whitelist lvh.me. I am so tired of security restrictions making everything painful for lvh.me.

tty23006y ago

Why? That is just an ordinary domain name that someone pointed at local host. I don't see why it should get any security exemptions.

missblit6y ago

But nothing ensures that domain name will always point to localhost. So why should browsers trust it more than other HTTP domains? It's owned by one person, so DNS registration could lapse even with the best intentions.

vinay_ys6y ago

In general, I'm NOT happy with how camera/microphone, GPS and sensors like Gyro/accel/magnetometers and beacons (radio/wifi/bluetooth/nfc), screen size/resolution, battery level, hardware port identifiers etc are accessed by any website or app on my laptop/phone.

This developed over the years without any input or choice from the end-user. The device manufacturers, platform owners (Apple, Google, Microsoft, Mozilla) and app developers joined together and forced this surveillance aparatus on all end-users.

This power balance has to change.

chii6y ago

There's no problem with having the capability in a web app. It's only a problem if those capabilities are not consented to b the user first.

vinay_ys6y ago

There is definitely no problem in having the capabilities in the hardware. But appropriate assured controls should have been built and provided to the end-user. The challenge is these controls are not in hardware-switch-esque form. They are left to the whims and fancies of individual apps. That blame goes to platforms.

m4636y ago

I disagree. Having things like this rolled into the browser means it's one security vulnerability or corporate decsion away from hurting someone.

asark6y ago

Dear Apple: for Christmas I'd like physical, no-bullshit power shutoff switches for your camera and microphone on the Macbook Pro. Other devices too—if you can manage it, that'd be great. Sincerely, the people who put tape over their cameras, the people who don't because it's ugly and messes with closing the lid but wish they could, and the people who would be in one of those two camps if they understood the risk (so, altogether, 100% of your users).

atonse6y ago

From my understanding, Apple has done sort of what you're asking for, they've hooked up the physical wiring of the camera LED to the camera itself, so it is physically impossible to power the camera without the LED being turned on (as opposed to the "turn on LED" being part of firmware logic that could be hacked).

Wowfunhappy6y ago

This is a better solution overall, as it's "by default". A hardware switch relies on the user to be privacy conscious. An LED which is physically connected to the camera circuit (!) is immediately noticeable if it turns on unexpectedly.

rxhernandez6y ago

As a layperson in this arena, I'm skeptical as to whether it's a great solution. Is it possible to turn the camera on and off very quickly? If so, a smart hacker could do that really quickly and if the owner ever notices they would probably think there is a problem with the electrical rather than thinking they are being monitored.

6 more replies

kgwxd6y ago

This is not a better solution overall and there's no reason we can't have both, other than manufacturer design choices. How often are you looking directly at your camera? Even if you are, once the camera comes on unexpectedly, it's too late.

1 more reply

justinclift6y ago

Doesn't really cover situations where the computer is in a persons bedroom (common with eg: teenagers), and not powered off overnight.

XCSme6y ago

I remember there was a story saying that it's possible, via software only (due to a "bug" and some "poor" hardware design), to turn on the camera without activating the LED.

Nextgrid6y ago

It used to be that the LED was controlled by firmware. As far as I know this is fixed now but I haven't proven it myself.

There are leaked schematics of MacBooks online (that unofficial repair shops use) so if you want to investigate this I'd expect it to be a good place to start.

css6y ago

https://jscholarship.library.jhu.edu/handle/1774.2/36569 (2013)

1 more reply

skybrian6y ago

That's useful, but it's not as reassuring as a hardware switch where you can see it work.

(For video, anyway. I don't see any similar solution for audio.)

ehsankia6y ago

Two reasons why switch is better:

1. If it does happen to light up, what would you do, turn off your computer? That's shitty.

2. What if your AFK and aren't looking at the light?

2 more replies

jonny_eh6y ago

What about the mic?

SlowRobotAhead6y ago

FWIW... I bet you could power the camera, get a still frame at 60fps, shut it down, and not see the led come on. It would be 1/60, 16ms plus or minus the amount of overhead needed, plus autofocus and exposure correction might make it impractical, but it’s definitely not a bulletproof fix.

heavenlyblue6y ago

Apple could simply make the camera take 1 second to activate.

1 more reply

cstejerean6y ago

How much would you bet?

1 more reply

outworlder6y ago

> From my understanding, Apple has done sort of what you're asking for, they've hooked up the physical wiring of the camera LED to the camera itself, so it is physically impossible to power the camera without the LED being turned on

Correct. And that was my reason for NOT covering the camera. Because I would be able to see if it was on due to some malware. However, I did not expect a vulnerability like Zoom's, where a simple website would be able to trigger a webcam. Combined with external monitors, the LED would be potentially missed for a good amount of time. So I've reversed my position since then.

t345436y ago

I’ve read this as well but my macbook senses ambient light and adjusts my backlight accordingly. Isn’t this through the camera - with no LED?

klodolph6y ago

The ambient light sensor is right next to the camera, I think it's usually to the left. It's a bit hard to test since they're close together. Macs have had ambient light sensors for a long time. For example, take an old iMac and put it to sleep. The power light will pulse with a period of about 2s, and the brightness will depend on the ambient light level.

Edit: Just tested on my MBP. Opened photo booth, covered the camera with my thumb, shone a bright flashlight at the point just left of the camera. The display got brighter but Photo Booth showed no changes in what the camera was seeing.

Analemma_6y ago

No, the ambient light sensing is done with a light sensor on the body - look for the tiny hole drilled into the chassis. It doesn't use the camera.

1 more reply

eightysixfour6y ago

https://apple.stackexchange.com/questions/347895/where-is-th...

asdfasgasdgasdg6y ago

I think I understand the risk, and I definitely would not bother with such a switch even were it available. So maybe I actually don't understand it.

What exactly is the risk? Have there been any actual cases of someone being spied on with their laptop webcam that would have been prevented by a switch? I'm only aware of cases where the webcam switch would not have helped (e.g. roommate sets up notebook to record owner naked). Even that is incredibly rare, or if not rare, almost never reported.

packet_nerd6y ago

A quick search seems to turn up quite a few examples of webcam spying. I'd love to see actual numbers, but it doesn't seem to be "incredibly rare".

https://www.dailymail.co.uk/sciencetech/article-5228017/Hack...

https://www.dailymail.co.uk/news/article-2638874/More-90-peo...

https://globalnews.ca/news/2158281/what-you-need-to-know-abo...

https://www.telegraph.co.uk/technology/news/10131456/Hackers...

This site claims a guy made a business selling software to hack and remotely control webcams, complete with paid employees and $350,000 in income:

https://www.welivesecurity.com/2015/04/21/webcam-hacking/

asdfasgasdgasdg6y ago

OK. That has caused me to update my beliefs. I still think that there is relatively little risk -- like, you should be much more worried about being in a car accident -- but I no longer think it's on par with being struck by lightning.

1 more reply

jjeaff6y ago

Considering that there have been Trojan malware programs out there that can secretly take over a user's webcam since webcams became popular, I'd say it's a given that it is happening on a regular basis.

Also, there are many security programs that can seruptitiously take photos or videos using the camera. Usually this is to help in recovery after theft.

dark_glass6y ago

Here's a recent 0-day involving Macs and Zoom (or RingCentral): https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-milli...

zonidjan6y ago

Which is an exploit, not an attack.

Guest09182316y ago

When I was in highschool people would do this all the time to each other by attaching trojans to files to gain access to webcams. This was the days of Windows 98, and security was almost non-existent for most users.

People would get someone infected, and then share the credentials so everyone could watch. So, I personally know of a handful of people that were spied on 20 years ago.

simcop23876y ago

Here's a case that went to court about it,

https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School...

SkyMarshal6y ago

It's for when someone pwns root on your computer, you can still turn off video and audio recording physically and they can't spy on you.

The use case is that you leave them turned off by default in case someone pwns you, and only turn them on when you need to use them.

baroffoos6y ago

One use case is protecting against non malicious but unexpected use of the camera. For example when you want to join a call with voice only but the app defaults to video and voice. You can have your camera off and mic on and you know for sure you won't be unexpectedly streaming video.

sbov6y ago

A while back it was in the news that school issued laptops had their webcams remotely activated by administration during non school hours. So yeah there's been at least one case.

zonidjan6y ago

Well, yeah. There's a reason why built-in webcam covers / physical switches are much more prevalent on laptops oriented towards business/government users (cf Thinkpads).

gsich6y ago

It's more or less a feeling. Because if someone can activate your camera without you knowing you have bigger problems.

sethhochberg6y ago

If anyone is looking for a nice webcam cover for laptops, I've found the super-thin ones (marketed as "0.7mm thin" by EYSOFT and others on Amazon, etc) are fantastic. Very cheap, very thin, visually unobtrusive, and dead-simple to use. Doesn't interfere with closing my Macbook at all, it protrudes less than the rubber bumper around the screen border.

Still miss the physical mic mute button on my old Thinkpad X230... and it didn't have a webcam button for that, but we've _almost_ had all of the right features in the past...

kraig6y ago

FWIW I had one of these on my laptop and the screen now has a crack that started right where this was.

TheRealSteel6y ago

Also note that the webcam closes onto the large, glass trackpad on Apple laptops, increasing the risk of damage if any debris gets in between there.

hereme8886y ago

That's what the Purism laptops have. But they're linux-based (although I hear Mac OS is based on linux kernel).

groovybits6y ago

Mac OS was originally based on BSD.

https://en.wikipedia.org/wiki/Berkeley_Software_Distribution

arcticbull6y ago

The kernel is not BSD, it's based on the Mach microkernel [1] with a BSD compatibility layer implemented on top. The whole thing collectively is called XNU [2].

[1] https://en.wikipedia.org/wiki/Mach_(kernel)

[2] https://en.wikipedia.org/wiki/XNU

1 more reply

pietroglyph6y ago

macOS is based upon XNU, which was based upon the Mach kernel (with bits of BSD userspace), not Linux.

ohazi6y ago

Mac OS is in no way based on the Linux kernel.

amelius6y ago

Perhaps it would be if the license was different.

2 more replies

meruru6y ago

The Pinebook too.

IloveHN846y ago

Why only Dear Apple? Dear Dell, dear Lenovo and dear Asus, enable your products with physical switches

octavn6y ago

You can find "slim" webcam privacy covers on Amazon. Since they can slide it they're a better solution than tape.

galad876y ago

macOS already ask the user for permission the first time an app tries to use a camera/microphone. If you want to be asked each time, install OverSight.

LeoPanthera6y ago

Have you noticed that the people who tape up their laptop camera almost always still carry around a smartphone in their pocket 100% of the time.

nothrabannosir6y ago

A smartphone is significantly more secure than a computer. I install lord knows what NPM package from God knows where on a weekly basis. Only since very recently does mic or camera access cause any kind of system prompt on Mac.

Smartphones , for all their faults , at least are far less vulnerable to viruses than pcs.

Or at least iOS vs Mac.

meruru6y ago

I consider my desktop computer to be far more secure than my phone, since it's harder for someone to access it physically and it isn't running Android. The things I install on it are more trustworthy as well, since they're mostly small, established unix tools.

admax88q6y ago

Your device is as secure as you make it. Why are you installing "lord knows what npm package" on your laptop?

1 more reply

mtrpcic6y ago

The difference being that the smartphone camera isn't pointed at your face or room the entire time the device is in use.

LeoPanthera6y ago

Frankly I don't think it's the camera that people should be most concerned about - it's the microphone.

1 more reply

zonidjan6y ago

Can my smartphone see anything from inside my pocket?

meruru6y ago

I tape my phone cameras too.

Nextgrid6y ago

If an attacker can access your webcam/microphone at will this means they can run arbitrary code to capture your screen, display anything you want and capture your keystrokes.

In this case the camera or microphone is the least of your worries.

marknadal6y ago

This sucks, my community[1] has a local offline-first video/audio call app that we run on a physical mesh network.

This will make it impossible for people to talk to each other, without first needing to be connected online to some certificate authority, or without some extraordinarily difficult pre-installation process, which is often not even possible on a phone.

HTTPS was important, but now its being used to shoe horn dependency on centralized online-only authority. Perfectly ripe to censor anyone.

1. https://gitter.im/amark/gun

comex6y ago

A browser doesn't need to connect to the certificate authority to validate a cert; only the server hosting the app 'needs' to be online (at least long enough to obtain a signed certificate every so often).

The bigger problem is that there has to be a single server hosting the app in the first place, which IMO is a severe flaw in the Web's architecture. But this change doesn't really make the situation worse.

marknadal6y ago

Subnet IPs are always different tho. Can I really get a cert for all subnet addresses? That'd be awesome! Please please educate me.

I want to be clear though, I need it so that the user doesn't have to install the cert themselves, or have to be online to approve.

Previously, a user would connect to the local wireless network, then the router would open them up to a directory listing of the local apps available on the network (like the video/audio call), they click the link (just points to the dynamic subnet IP of a static file server) to load the offline HTML page which then connects to call anyone in the network, including users on neighbor and neighbor-of-neighbors routers.

Basically our own decentralized telecom!

comex6y ago

SSL certificates are typically issued for domains and aren't tied to a specific IP address. So you need a domain name, and clients need to be able to resolve that domain to your IP, which means the network needs a DNS server – but the DNS server itself doesn't have to be online at all times, it just has to know what IP to return for your domain. I am not sure how that works with your mesh setup.

Note that some domain validation methods involve the certificate authority resolving the domain to an IP address and trying to connect to it on the public Internet – but not all. Let's Encrypt, for example, supports the dns-01 method, which just requires a custom TXT record to be set on the domain. (But of course the TXT record itself needs to be on the public Internet.) That said, since your goal is to work offline, you may want to use a different CA that issues longer-lived SSL certificates, since Let's Encrypt only gives you 3 months at a time.

tialaramex6y ago

Since we're talking about a Web Browser I'm going to assume we're talking about the Web PKI - certificates that are trusted in common software like web browsers that use TLS.

Leaf certificates in the Web PKI specify one or more SANs (Subject Alternative Names, the "alternative" is because this is the Internet's alternative to the way the X.500 directory system was designed, you don't use the X.500 directory system so you don't care about this) which can each be either an IP address (either IPv4 or IPv6) or it can be any Fully Qualified Domain Name (like bobs-laptop.example.com) from the Internet DNS or it can be a "Wildcard" like *.servers.example.com, which is considered a "match" for any Fully Qualified Domain Name that has exactly one label (a name with no dots in it) instead of the asterisk, so it would batch bigfiles.servers.example.com, and www.servers.example.com but not www.example.com or bigfiles.servers.microsoft.com)

You can get software (such as "Certbot" or "acme.sh") to help obtain trusted certificates periodically from the Internet automatically (at no cost) for a machine which has a Fully Qualified Domain Name on the Internet and is connected to the Internet at least sometimes. You may need to write software yourself to manage actually installing such certificates if your server software is custom - if you use common server software like Apache the tools can do it for you. The no cost option is provided by a charity, ISRG. If you're not a charity and appreciate the service you might consider sending a few bucks their way so they can keep doing this.

If your servers are not ordinarily connected to the Internet, but you do own an Internet domain name (e.g. example.com) you can just make up names for them in that domain and you will be able to obtain certificates for those made-up names, since you control the domain they're your names to do with as you please. But doing this is a bunch more work than the scenario where they're on the Internet.

shkkmo6y ago

I'm not familiar with this exact setup, but I am assuming you have full control over the router software, but want to limit any installation or configuration of either the browser's computer or the local network fileservers.

> Subnet IPs are always different tho. Can I really get a cert for all subnet addresses?

SSL certs don't usually have anything to do with the IP address, that is usually handled by the hosts file / DNS entries.

There is no reason the non-profit can't get a domain and a free SSL cert and distribute that cert and it's private key with the router software as a default while allowing admins to install/configure their own domain and SSL cert.

The router can then MITM all requests to that domain using a SSL termination proxy for the file server.

1 more reply

fulafel6y ago

If you are running a network disconnected from the internet, it follows logically that you'll have to reconfigured the normally internet-anchored security mechanisms on end-devices. You always have the option of using another app for this too.

Are you sure you don't want confidentiality on the audio/video calls on your network? After all it's passing through all the mesh nodes and vulnerable to eavesdropping.

1 more reply

tenebrisalietum6y ago

It's been over a year, but I played around with PKI and installing your own self-signed root certs on iPhone and Android (for HTTPS) was not hard.

Avamander6y ago

But having to start exchanging root certs is not trivial in mesh environments, it's also insecure if you have to accept someone else's root.

anilakar6y ago

Does anyone still remember the times when MSIE actually warned you if you were POSTing anything over an unencrypted connection?

d336y ago

Yes and it basically showed how it doesn't work. Applications were designed around the assumption that the user would click through the warnings. It looks like Firefox and Chromium are doing far better by restricting features to SSL, though I would be happier if they were also trying to push something more resistant to nation-state abuse...

progval6y ago

This page's content is in a div named "mobile-pusher" with a 400px padding-right, which then gets disabled when loading a JS script from a third-party domain (ffp4g1ylyit3jdyti1hqcvtb-wpengine.netdna-ssl.com). wtf?

indalo6y ago

that's wpengine's cdn, most likely the host of the blog.

rolltiide6y ago

Its funny how everyone feels empowered to be a digital sleuth these days but makes ridiculous conclusions with the same material everyone else has

Dylan168076y ago

"wtf?" is not a ridiculous conclusion.

ry4nolson6y ago

probably related to the hamburger menu on mobile, which pushes that div over 300px

spaceribs6y ago

Love it, although I'm sure you can still send video/audio in non-encrypted ways right?

Traubenfuchs6y ago

This is very annoying for development in my eyes.

What is the preferred way to include https in your development flow? Have an nginx or apache running? What about automated tests against a running application?

roblabla6y ago

localhost is considered "secure" and doesn't need https - this can be used by most development and automated testing flows. For remote development, I tend to setup a caddy server which makes it very easy to get an SSL certificate.

This is still mildly annoying.

jeffk_teh_haxor6y ago

What took them so long?

lightedman6y ago

They cant even get firefox to properly load (let alone let me pick) all 10 of my webcams.

How about making that work, first?

user178436y ago

Chrome has been doing it since around 2016, it seems.

1 more reply

idlewords6y ago

In Firefox 73, they'll require consent!

minitech6y ago

They already require consent. You probably know that. Not sure what the joke is.

tuxracer6y ago

Both of these permissions already require consent.

j / k navigate · click thread line to collapse

197 comments

petters6y ago

It will still work on localhost, which is nice. It would be nice if it also worked on local IPs, like 192.168... Those do not work on Chrome, I think, which make mobile testing a bit more cumbersome.

hannob6y ago

> It would be nice if it also worked on local IPs, like 192.168...

That would defeat the security purpose.

Anyone within your local network (which practically speaking very often means the next Wifi your device could find) could attack you.

mort966y ago

duchenne6y ago

Wihtout using any third party service, you could use an SSH tunnel, with autossh for automatic reconnections.

    autossh -L 2080:localhost:80 192.198.1.14

And then, you'll be able to visit your dev website on http://localhost:2080

Firefox will believe that your service is local, and will allow the activation of the camera and the microphone even though you do not use https.

1 more reply

comex6y ago

This is clearly more complicated than ideal, but it should work.

Edit: You can also use a custom CA root certificate, which can be installed on iOS etc. mkcert is a good starting point:

https://github.com/FiloSottile/mkcert

2 more replies

jonas216y ago

Localtunnel? https://localtunnel.me/

viraptor6y ago

> especially on mobile where you can't just add your cert as a trusted cert easily

What do you mean? Do some Androids block it? Or iOS? I've got it easily available in settings.

zaarn6y ago

michaelbrooks6y ago

Not sure if you've heard of NGrok, but this tunnels your server and can be accessed outside of your network with or without https.

https://ngrok.com/

shkkmo6y ago

Easy:

1) Get a signed certificate for a subdomain on a domain you own (e.g. dev.example.com)

2) Change your hosts file to point any local IP you wish, or setup a DNS entry for that subdomain that points to 127.0.0.1

yeukhon6y ago

I know localhost is supported by Lets Encrypt but not sure about local lan network. One possible workaround is ssh forwarding. Create a tunnel. But I have not tried it myself.

varenc6y ago

For local development, Chrome has a flag that lets you force specific origins to be treated as secure:

  chrome://flags/#unsafely-treat-insecure-origin-as-secure

I don't think Firefox has anything equivalent though? This bug on the topic is unassigned: https://bugzilla.mozilla.org/show_bug.cgi?id=1410365

aaronharnly6y ago

Interesting! Though I find that behaves rather strangely – seems to clear itself on every launch.

varenc6y ago

Yea that's annoying, but I believe that's intentional... you can pass that flag in as an arg when you launch chrome though so you don't have to set it up each time.

mort966y ago

I don't imagine that works on mobile chrome, which is what the parent comment was talking about.

_fzslm6y ago

It does, on Android.

1 more reply

wlesieutre6y ago

Mozilla’s previous blog post on the topic says

> Mozilla will provide developer tools to ease the transition to secure contexts and enable testing without an HTTPS server.

https://blog.mozilla.org/security/2018/01/15/secure-contexts...

But the bugzilla entry they linked to with that has been unassigned for two years, so maybe they changed their minds or figure the localhost exception is sufficient.

https://bugzilla.mozilla.org/show_bug.cgi?id=1410365

The last comment proposes a whitelist for development domains, but no response to it.

webstudio6y ago

for easy bypass this guard - ( for rapid development / testing ) - and dont have a localhost environment

ths helped me (with the 68.0 win edition):

about:config

set the

media.getusermedia.insecure.enabled

from false to true

wlesieutre6y ago

Good to know! I'm leaving it alone on my main FF installation, but I've set that in Developer Edition.

1 more reply

vortico6y ago

It's fantastic that it works with localhost (and I assume 127.0.0.1?), and it's fantastic that it doesn't work with anything else. This is the best middleground.

mort966y ago

Non-HTTPS websocket would work, but not from a HTTPS host. So you're in a situation where you need HTTPS due to WebRTC, but you can't use HTTPS due to websockets.

In trying to push people to HTTPS by disabling features on HTTP, we're making development a _much_ worse experience. I'm not sure that's right.

Mister_Snuggles6y ago

You can probably just create your own root CA and install it on your mobile device for testing. I've done this for my internal stuff at home and it works well.

I use xca[0] to create/manage the root CA and the certificates, but there are other tools to do this.

[0] https://hohnstaedt.de/xca/

shkkmo6y ago

> you obviously have to use a self signed cert because local IP

Not true at all, SSL certs have nothing to do with IP of the servers that use them, the servers just have to have the correct private key for that cert.

You can make any domain point to local IPs by using the hosts file or even editing DNS directly.

vortico6y ago

I see your point about mobile testing. (I don't do mobile work, so I didn't think of it.)

maxk426y ago

Would be better if it also supported a new warning / permission to request insecure camera access.

tialaramex6y ago

iwalton36y ago

I do wish there was a public solution offering this type of easy dynamic DNS with https. (Sharing the script I wrote could cost a lot on dns hosting and increased server expenses.)

nhumrich6y ago

You could add a tunnel via iptables to just route one port on localhost to another ip

klodolph6y ago

iptables on your phone? I think you would need to root your phone, if it's Android.

numtel6y ago

No need to root, with android in developer mode, run this to forward localhost:3000 to the same port on the phone.

> adb reverse tcp:3000 tcp:3000

lucb1e6y ago

I think it's not unreasonable for a techie to be the admin of their own phone. (I still don't get how this is an unpopular opinion.)

5 more replies

Groxx6y ago

Probably possible with a local VPN on android? I believe those can do anything they please.

k_bx6y ago

Is generating localhost certs and then accepting them in your browser once is that hard?

openssl genrsa -out key.pem 2048

openssl req -new -key key.pem -out certificate.csr

openssl x509 -req -in certificate.csr -signkey key.pem -out certificate.pem

baq6y ago

if all development servers for all frameworks just did that on first run of a project it'd be so much easier.

k_bx6y ago

mercora6y ago

in order to replicate or simulate a production environment i sometimes do something like this:

ip route add local 192.0.2.123/32 table local dev lo

which makes your system act like this is a local address without actually being one.

EDIT: nvm i just realized that wont solve your issues with mobile development...

peterlk6y ago

To any browser developers out there, I beg you, please, please, please whitelist lvh.me. I am so tired of security restrictions making everything painful for lvh.me.

tty23006y ago

Why? That is just an ordinary domain name that someone pointed at local host. I don't see why it should get any security exemptions.

missblit6y ago

vinay_ys6y ago

This power balance has to change.

chii6y ago

There's no problem with having the capability in a web app. It's only a problem if those capabilities are not consented to b the user first.

vinay_ys6y ago

m4636y ago

I disagree. Having things like this rolled into the browser means it's one security vulnerability or corporate decsion away from hurting someone.

asark6y ago

atonse6y ago

Wowfunhappy6y ago

rxhernandez6y ago

6 more replies

kgwxd6y ago

1 more reply

justinclift6y ago

Doesn't really cover situations where the computer is in a persons bedroom (common with eg: teenagers), and not powered off overnight.

XCSme6y ago

I remember there was a story saying that it's possible, via software only (due to a "bug" and some "poor" hardware design), to turn on the camera without activating the LED.

Nextgrid6y ago

It used to be that the LED was controlled by firmware. As far as I know this is fixed now but I haven't proven it myself.

There are leaked schematics of MacBooks online (that unofficial repair shops use) so if you want to investigate this I'd expect it to be a good place to start.

css6y ago

https://jscholarship.library.jhu.edu/handle/1774.2/36569 (2013)

1 more reply

skybrian6y ago

That's useful, but it's not as reassuring as a hardware switch where you can see it work.

(For video, anyway. I don't see any similar solution for audio.)

ehsankia6y ago

Two reasons why switch is better:

1. If it does happen to light up, what would you do, turn off your computer? That's shitty.

2. What if your AFK and aren't looking at the light?

2 more replies

jonny_eh6y ago

What about the mic?

SlowRobotAhead6y ago

heavenlyblue6y ago

Apple could simply make the camera take 1 second to activate.

1 more reply

cstejerean6y ago

How much would you bet?

1 more reply

outworlder6y ago

t345436y ago

I’ve read this as well but my macbook senses ambient light and adjusts my backlight accordingly. Isn’t this through the camera - with no LED?

klodolph6y ago

Analemma_6y ago

No, the ambient light sensing is done with a light sensor on the body - look for the tiny hole drilled into the chassis. It doesn't use the camera.

1 more reply

eightysixfour6y ago

https://apple.stackexchange.com/questions/347895/where-is-th...

asdfasgasdgasdg6y ago

I think I understand the risk, and I definitely would not bother with such a switch even were it available. So maybe I actually don't understand it.

packet_nerd6y ago

A quick search seems to turn up quite a few examples of webcam spying. I'd love to see actual numbers, but it doesn't seem to be "incredibly rare".

https://www.dailymail.co.uk/sciencetech/article-5228017/Hack...

https://www.dailymail.co.uk/news/article-2638874/More-90-peo...

https://globalnews.ca/news/2158281/what-you-need-to-know-abo...

https://www.telegraph.co.uk/technology/news/10131456/Hackers...

This site claims a guy made a business selling software to hack and remotely control webcams, complete with paid employees and $350,000 in income:

https://www.welivesecurity.com/2015/04/21/webcam-hacking/

asdfasgasdgasdg6y ago

1 more reply

jjeaff6y ago

Also, there are many security programs that can seruptitiously take photos or videos using the camera. Usually this is to help in recovery after theft.

dark_glass6y ago

Here's a recent 0-day involving Macs and Zoom (or RingCentral): https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-milli...

zonidjan6y ago

Which is an exploit, not an attack.

Guest09182316y ago

People would get someone infected, and then share the credentials so everyone could watch. So, I personally know of a handful of people that were spied on 20 years ago.

simcop23876y ago

Here's a case that went to court about it,

https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School...

SkyMarshal6y ago

It's for when someone pwns root on your computer, you can still turn off video and audio recording physically and they can't spy on you.

The use case is that you leave them turned off by default in case someone pwns you, and only turn them on when you need to use them.

baroffoos6y ago

sbov6y ago

A while back it was in the news that school issued laptops had their webcams remotely activated by administration during non school hours. So yeah there's been at least one case.

zonidjan6y ago

Well, yeah. There's a reason why built-in webcam covers / physical switches are much more prevalent on laptops oriented towards business/government users (cf Thinkpads).

gsich6y ago

It's more or less a feeling. Because if someone can activate your camera without you knowing you have bigger problems.

sethhochberg6y ago

Still miss the physical mic mute button on my old Thinkpad X230... and it didn't have a webcam button for that, but we've _almost_ had all of the right features in the past...

kraig6y ago

FWIW I had one of these on my laptop and the screen now has a crack that started right where this was.

TheRealSteel6y ago

Also note that the webcam closes onto the large, glass trackpad on Apple laptops, increasing the risk of damage if any debris gets in between there.

hereme8886y ago

That's what the Purism laptops have. But they're linux-based (although I hear Mac OS is based on linux kernel).

groovybits6y ago

Mac OS was originally based on BSD.

https://en.wikipedia.org/wiki/Berkeley_Software_Distribution

arcticbull6y ago

The kernel is not BSD, it's based on the Mach microkernel [1] with a BSD compatibility layer implemented on top. The whole thing collectively is called XNU [2].

[1] https://en.wikipedia.org/wiki/Mach_(kernel)

[2] https://en.wikipedia.org/wiki/XNU

1 more reply

pietroglyph6y ago

macOS is based upon XNU, which was based upon the Mach kernel (with bits of BSD userspace), not Linux.

ohazi6y ago

Mac OS is in no way based on the Linux kernel.

amelius6y ago

Perhaps it would be if the license was different.

2 more replies

meruru6y ago

The Pinebook too.

IloveHN846y ago

Why only Dear Apple? Dear Dell, dear Lenovo and dear Asus, enable your products with physical switches

octavn6y ago

You can find "slim" webcam privacy covers on Amazon. Since they can slide it they're a better solution than tape.

galad876y ago

macOS already ask the user for permission the first time an app tries to use a camera/microphone. If you want to be asked each time, install OverSight.

LeoPanthera6y ago

Have you noticed that the people who tape up their laptop camera almost always still carry around a smartphone in their pocket 100% of the time.

nothrabannosir6y ago

Smartphones , for all their faults , at least are far less vulnerable to viruses than pcs.

Or at least iOS vs Mac.

meruru6y ago

admax88q6y ago

Your device is as secure as you make it. Why are you installing "lord knows what npm package" on your laptop?

1 more reply

mtrpcic6y ago

The difference being that the smartphone camera isn't pointed at your face or room the entire time the device is in use.

LeoPanthera6y ago

Frankly I don't think it's the camera that people should be most concerned about - it's the microphone.

1 more reply

zonidjan6y ago

Can my smartphone see anything from inside my pocket?

meruru6y ago

I tape my phone cameras too.

Nextgrid6y ago

If an attacker can access your webcam/microphone at will this means they can run arbitrary code to capture your screen, display anything you want and capture your keystrokes.

In this case the camera or microphone is the least of your worries.

marknadal6y ago

This sucks, my community[1] has a local offline-first video/audio call app that we run on a physical mesh network.

HTTPS was important, but now its being used to shoe horn dependency on centralized online-only authority. Perfectly ripe to censor anyone.

1. https://gitter.im/amark/gun

comex6y ago

marknadal6y ago

Subnet IPs are always different tho. Can I really get a cert for all subnet addresses? That'd be awesome! Please please educate me.

I want to be clear though, I need it so that the user doesn't have to install the cert themselves, or have to be online to approve.

Basically our own decentralized telecom!

comex6y ago

tialaramex6y ago

Since we're talking about a Web Browser I'm going to assume we're talking about the Web PKI - certificates that are trusted in common software like web browsers that use TLS.

shkkmo6y ago

> Subnet IPs are always different tho. Can I really get a cert for all subnet addresses?

SSL certs don't usually have anything to do with the IP address, that is usually handled by the hosts file / DNS entries.

The router can then MITM all requests to that domain using a SSL termination proxy for the file server.

1 more reply

fulafel6y ago

Are you sure you don't want confidentiality on the audio/video calls on your network? After all it's passing through all the mesh nodes and vulnerable to eavesdropping.

1 more reply

tenebrisalietum6y ago

It's been over a year, but I played around with PKI and installing your own self-signed root certs on iPhone and Android (for HTTPS) was not hard.

Avamander6y ago

But having to start exchanging root certs is not trivial in mesh environments, it's also insecure if you have to accept someone else's root.

anilakar6y ago

Does anyone still remember the times when MSIE actually warned you if you were POSTing anything over an unencrypted connection?

d336y ago

progval6y ago

indalo6y ago

that's wpengine's cdn, most likely the host of the blog.

rolltiide6y ago

Its funny how everyone feels empowered to be a digital sleuth these days but makes ridiculous conclusions with the same material everyone else has

Dylan168076y ago

"wtf?" is not a ridiculous conclusion.

ry4nolson6y ago

probably related to the hamburger menu on mobile, which pushes that div over 300px

spaceribs6y ago

Love it, although I'm sure you can still send video/audio in non-encrypted ways right?

Traubenfuchs6y ago

This is very annoying for development in my eyes.

What is the preferred way to include https in your development flow? Have an nginx or apache running? What about automated tests against a running application?

roblabla6y ago

This is still mildly annoying.

jeffk_teh_haxor6y ago

What took them so long?

lightedman6y ago

They cant even get firefox to properly load (let alone let me pick) all 10 of my webcams.

How about making that work, first?

user178436y ago

Chrome has been doing it since around 2016, it seems.

1 more reply

idlewords6y ago

In Firefox 73, they'll require consent!

minitech6y ago

They already require consent. You probably know that. Not sure what the joke is.

tuxracer6y ago

Both of these permissions already require consent.

j / k navigate · click thread line to collapse