IETF Logo Mail Archive

Re: [rtcweb] Security implications of host candidates

youenn fablet <youennf@gmail.com> Mon, 09 July 2018 21:59 UTC

Return-Path: <youennf@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6A613107D for <rtcweb@ietfa.amsl.com>; Mon, 9 Jul 2018 14:59:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiQldf3nHn9e for <rtcweb@ietfa.amsl.com>; Mon, 9 Jul 2018 14:59:06 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6460613109B for <rtcweb@ietf.org>; Mon, 9 Jul 2018 14:58:41 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id r13-v6so15196222ljg.10 for <rtcweb@ietf.org>; Mon, 09 Jul 2018 14:58:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8wpm5a1UfAvBGw8Jf5UzKJE3Ae0/7WlvLcdrOg08H+s=; b=mDFeumpVI4RWWXh5I45XgYSIew5vNaQ0ClCYoiAt8qNBTx4X5LEEcywY2TcuG9ujqN prrTMKaYAAvFVlhIgIi4zBWrpAAmnZbbHmJxSGzzANZs4Zv4DkRidLrSQdNqbBQYcw31 UZcFNcyeP9Lc6hSSzW9MhJNTU/QmvK67Gu1Fz4YdI18iscp7a3JRrUWnPc5iITFFvw5h rwx5uUASTZ2prAiYpjXKbqcFGIzAj1Eo0rXpdK7xYKI1tx9YkMvgIuC19OslNJJJVThn Wkp9N+9lV0lA4T71VOX0Zf8wwbsHHWf4AkXtjDE7GZ4z8ihnHcKKEvNHeNL7Q6P89awq y/5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8wpm5a1UfAvBGw8Jf5UzKJE3Ae0/7WlvLcdrOg08H+s=; b=lcspWT3SnD21MNZTSeA0a2u6tyRlvijFK5lZWMpGBsk0WunkFWCYFPBIUCOyjbxkaw oErTgYbN8qBKcG7SVkmLunRIv2Sii4hm1hhb6wd+nPA3ldvf1ySJR70QTQBY19GlTsRn V1xNufGCxTyDCHXxDa9q7X28cbGk2KC7HkHMm96FftM+ouCpeBJb++dCs4nIWb0eVFAX CVFMXNGYVDsR5Gaf1/lbHkEODUaId5z+os8zBSYlaY0sezAl0i+Hb4Y14/vIY9U++ui3 wrDPQbic0axuMQW0gRaR1DwoZp6N+03Fhy7rOAkqCVEAbJVWIsC7N/bXyyMe7jkYW5IL CvJA==
X-Gm-Message-State: APt69E2MmAcJW/q1kh4r0by7biH2HUmFQ1WdnThY9tsSsDl2B0mAueir Zu+jKt0bbFi9rhqrS4ZjjNBr45Y2jXa1M5n7YNk=
X-Google-Smtp-Source: AAOMgpfpDWEpkytJScd0qfTZhR8A0Ioe2EmAzfcKng/gvQOH3WkOUzBrv4g6yXm4Z++Xg7sq45vDMa/VcJM3P9T4DcY=
X-Received: by 2002:a2e:1b03:: with SMTP id b3-v6mr14375547ljb.24.1531173519487; Mon, 09 Jul 2018 14:58:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAOJ7v-1t_BDEEHmA4eqiS9ksYOOyHUz9LFLhQxs8FhjTdswP5w@mail.gmail.com> <CANN+akZLRdZdexjU44zPCA6vdQR0hVYT17_4P8DefC0JbRL5mA@mail.gmail.com> <CAOJ7v-2JdiMJ9iWE_cL8G7xDM6iekexJL8KLEbz0jD=p7hiGZg@mail.gmail.com> <CANN+akbv2mpyhgV5vxDHKcsA8UPsSEr0bEjJK4xYxtvbkXNA7w@mail.gmail.com> <CAOJ7v-3gHMCxHU02YG3NoqvWHtXgOSWSm+y88GNDW0qc=Sqq=A@mail.gmail.com> <CAOJ7v-3moUqwgxkz1Fek4vy-XV+WpDaO-PsQZEw4ougoCHjLww@mail.gmail.com> <CANN+akZ=Ebw41mA2wEX7-4u6q5WcZbFtM=VMLX4nDK39S=QGOQ@mail.gmail.com> <CAOJ7v-3X2Sj8Yid+i0=xadyH_Hmf4pMOF_iuOV+56Ty8HNnJuw@mail.gmail.com> <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <CAOJ7v-0TGqvp=MUmeEUjYZTcvV37qbYSTV0pFMoi1J0CJQ7Q4A@mail.gmail.com> <CABkgnnXBTC5TERquJPO4dgiAKz037Cm0Omw4YrobtCW=wmGPyQ@mail.gmail.com>
In-Reply-To: <CABkgnnXBTC5TERquJPO4dgiAKz037Cm0Omw4YrobtCW=wmGPyQ@mail.gmail.com>
From: youenn fablet <youennf@gmail.com>
Date: Mon, 09 Jul 2018 14:58:26 -0700
Message-ID: <CANN+akY5_HobMEU=0ynOgzfyXmtPenv_uGoS2DTrz5dciTeM2A@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: juberti=40google.com@dmarc.ietf.org, RTCWeb IETF <rtcweb@ietf.org>, youenn fablet <yfablet@apple.com>
Content-Type: multipart/alternative; boundary="000000000000b7f6310570981d0e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/BKzMv7JOh135wshiuhxZ5y902Ko>
Subject: Re: [rtcweb] Security implications of host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 21:59:15 -0000

Thanks for the feedback.

I'm not sure that what is proposed (limiting to a top-level browsing
>
context that isn't also private browsing) is the best way to achieve
> the stated policy goals in the draft.  And more fundamentally, there
> are probably several policies that browsers might reasonably adopt
> along those lines.
>

Agreed, browsers might have different constraints and security rules (ITP
in Safari for instance) that should be taken into consideration when
solving that particular issue.

It seems also that, given that this is quite tied to browsers and execution
contexts, guidelines might better fit in W3C land if we think there is a
need for such guidelines.
For instance, W3C specs could use some IETF defined hooks to provide
guidelines on how to set the MDNS policy/MDNS names to be used by a
particular ICE agent.

The best idea I have there is to fail resolution for .local names that
> the browser itself has minted for other origins[1].  That way,
> connections that are cross-origin and same-host would always at least
> hit a hairpin or relay.  Of course, failing resolution so quickly
> might leak information, so additional caution might be necessary (I
> don't think that it does, provided that a candidate is not entered
> into a checklist before resolution occurs, but I'm not sure how that
> would be implemented).
>

There is also the issue of detecting same browser clients by failing
connections.
Let's say a web site identifies three clients A, B and C behind a NAT.
If A is able to connect to both B and C without TURN but B and C are not
able to connect with each other without TURN, a web site could probably
infer that B and C are running on the same browser and are not able to
connect with each other because of this rule.

While this case is not super likely for top level pages (and anyway, the
user somehow trusts the page and might already be authenticated with), this
might more often happen with third party tracking iframes.


> This suggests that you could share mDNS names for frames under the
> same top-level browsing context without leaking more information,
> which could be very useful.
>

Agreed if these frames are same-origin with the top-level browsing context.

v2.23.0 | Report a Bug | By Email