IETF Logo Mail Archive

Re: [rtcweb] Security implications of host candidates

Justin Uberti <juberti@google.com> Tue, 03 July 2018 21:40 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C27BE130EE6 for <rtcweb@ietfa.amsl.com>; Tue, 3 Jul 2018 14:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYB9udXUQKtC for <rtcweb@ietfa.amsl.com>; Tue, 3 Jul 2018 14:40:45 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99186130ED1 for <rtcweb@ietf.org>; Tue, 3 Jul 2018 14:40:45 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id l25-v6so3045077ioh.12 for <rtcweb@ietf.org>; Tue, 03 Jul 2018 14:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+d1Gw5iJaQeSSdfUQ05AIlG+NBTMDtclsHmE0mY+f2I=; b=cBZkT8plk1G5SvPqHELcRi8YPb8x6NtkK1kAGl0fJfvslyQZRbpOFH+5ABFD9YEHIP w7usEImCbMwPeCjZNBNt0vas4EwtseK3ts1kbGkTLg31Vz9nJZB5SNhea4GVL86sqrRN Fnc0Gn7OBUrtV1NCZ1l6JNifk8kRqszsMsWXIkSzds1d+ye7WFzhdF3lhiR6O+y16krS LKp5wnBLaHw+7h2aUG65FaCd2ABTDwMSVaUWlWhiXZrnHVK/1MJPfQKMhjMCOh1Pcc+Q 7OGNFR2iMaFbyLKpIBQFPKPepA74ingAiaXtET7V9kXm+oyAk8r/pyEBtkmoShZdPDso SHxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+d1Gw5iJaQeSSdfUQ05AIlG+NBTMDtclsHmE0mY+f2I=; b=JBXvwLjUwqbeIRVChedmtyPopV+lUh1Z1/K7V8p6LV7ybTOapycHNeGniO0NOlJtdP 8oOyGeTjNvCWw+/eR4iApYfa/+9IMsa00JbHIriL+BpWLDlDHICG8+EI31bQJZUl8ANh XLsqEE9kGAJ3S2cAWdimYHJkNU+Eqp4DNwF3hIAjnHVY6vD2YRqAyihe8EuYG1i6dqKH 8kPR4TworOmzvVGFgCCb4cJ334LYD73ttmRODgrtcEFFQBuUHwgCzDk9oAxOdZF6fcl4 icYzz+/YuS+IVFBs/y6HGizmgLX4BAJ5GeSsRbqCgbpGAZVNs7mY6PaIs6nEDFSCMStM Zowg==
X-Gm-Message-State: APt69E3AIhEpVdgg1tV1sKmpD3yDV12IIWQWJa9CXCuVb8GIp9YguEEf DwPCebebMqeLA2UgzWSIMIxhXjHiny/YIQMuEg8hPQ==
X-Google-Smtp-Source: AAOMgpfkR1V4K5uyu++1Orucvk4v4DAiu+Ee/SfmzReH07U1pwcuba9LacJGpN42xC3nzfTiaNF5imPS5aSbvDpld3Y=
X-Received: by 2002:a6b:b387:: with SMTP id c129-v6mr27147290iof.32.1530654044577; Tue, 03 Jul 2018 14:40:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAOJ7v-1t_BDEEHmA4eqiS9ksYOOyHUz9LFLhQxs8FhjTdswP5w@mail.gmail.com> <CANN+akZLRdZdexjU44zPCA6vdQR0hVYT17_4P8DefC0JbRL5mA@mail.gmail.com> <CAOJ7v-2JdiMJ9iWE_cL8G7xDM6iekexJL8KLEbz0jD=p7hiGZg@mail.gmail.com> <CANN+akbv2mpyhgV5vxDHKcsA8UPsSEr0bEjJK4xYxtvbkXNA7w@mail.gmail.com> <CAOJ7v-3gHMCxHU02YG3NoqvWHtXgOSWSm+y88GNDW0qc=Sqq=A@mail.gmail.com>
In-Reply-To: <CAOJ7v-3gHMCxHU02YG3NoqvWHtXgOSWSm+y88GNDW0qc=Sqq=A@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Tue, 03 Jul 2018 14:40:31 -0700
Message-ID: <CAOJ7v-3moUqwgxkz1Fek4vy-XV+WpDaO-PsQZEw4ougoCHjLww@mail.gmail.com>
To: youenn fablet <youennf@gmail.com>
Cc: youenn fablet <yfablet@apple.com>, RTCWeb IETF <rtcweb@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009a640b05701f2a15"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/1xfsA6ae4PzumyqNwcTiLOvLhDI>
Subject: Re: [rtcweb] Security implications of host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 21:40:50 -0000

Updated fiddle (outputs to display as well as console):
https://jsfiddle.net/juberti/x7a8ut0q/37/

On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com> wrote:

> I wasn't able to get that example to work (tried with 2 Chrome and 2
> Safari instances, got a setRemoteDescription error both times), but I was
> able to make a JSFiddle <https://jsfiddle.net/juberti/x7a8ut0q/25/> which
> does something similar in a single page. At present, even host-host
> connections were seeing a 2 ms RTT, possibly because of the clamping
> <https://developer.mozilla.org/en-US/docs/Web/API/Performance/now> that
> has been applied to performance.now() to deal with Spectre et al.
>
>
>
>
>
> On Tue, Jul 3, 2018 at 9:21 AM youenn fablet <youennf@gmail.com> wrote:
>
>> Maybe I don't understand the attack well enough, but if a page running in
>>> a private browsing context tried to communicate with a page not running in
>>> a private browsing context, they would probably see < 1ms RTTs for both
>>> host-host and srflx-srflx candidates in many cases (including cases where
>>> the contexts are on different machines).
>>>
>>
>> This is probably true for good ethernet connections.
>> Connections over wifi have usually a bigger/less stable latency than
>> local loop connections.
>> I uploaded a small example (
>> https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/)
>> that computes ping-pong host-host latency through data channel.
>>
>

v2.23.0 | Report a Bug | By Email