Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handling-05.txt
Justin Uberti <juberti@google.com> Tue, 13 February 2018 20:46 UTC
Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F12312D943 for <rtcweb@ietfa.amsl.com>; Tue, 13 Feb 2018 12:46:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmOhF-1lzGS8 for <rtcweb@ietfa.amsl.com>; Tue, 13 Feb 2018 12:46:46 -0800 (PST)
Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABB7B12D88F for <rtcweb@ietf.org>; Tue, 13 Feb 2018 12:46:45 -0800 (PST)
Received: by mail-ua0-x234.google.com with SMTP id p12so12389664uad.0 for <rtcweb@ietf.org>; Tue, 13 Feb 2018 12:46:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YAege7UO49FaWYoGFKUeghS9gkV/JFFdrW6VACHC+pk=; b=sFYbyxO4xjOBo3DnE1VDUfpfUD3YgC3MlYZalhZJkcppFouoZSQKXOgAY32KGERzYm ijXioFLn4ekyoR3OlvgoPeiGNgvot8x9vVpBAM4bUvAkfzITdN15VJtcjNytMsTwvNkA 5zBUHzNH4AhX5eaxI4F11sk0/LJ7kPrUnyojWP58OyWjpL1DQVx7oCQoV2xusw0EOgim mPRJOXyZqIUhEpWx2CZvITCCGWChdgIH0cM3gljsWgDhJyAgoCL+9A/VqhCrXMbTPjtJ y/UYztlMv3lGTh8BwiEcJOVelc1R9/jn/AKMxEoO6Fkx/GRwAsmGD2lt586xaNhGTfZK kzAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YAege7UO49FaWYoGFKUeghS9gkV/JFFdrW6VACHC+pk=; b=pYmP7XbeCCnd66CrDB1zcoznuJmTkM6ezdinXhH4zhA/EE/4HMzMYn5L1NePHXpLCT kMrhi5MRV9+6LeyRh1HeN1W0JYvGNaJ4e4B/h0TlT46WfKOFBUcHg6H3739V+OwKNnr1 ta3x3rcGDoOnoQOZZA4Fy3NkXX+Rz2pCTGyGn9dWMhEUxP1lH49fJA+Gm8Tbp6hxxqPY mWo0ntISyNlZv/otro7vQwCrxJBVllhGvJVfkrgVGV/QW/uZeVbMQdON5VGFwOESORhT d89Uo9FRfXpjPHOKy9MZxOYSkm/cgdl7xFJh3iRsfNXXy/ND36+RHP2T3MCqPQSCoa+A gisg==
X-Gm-Message-State: APf1xPDLMwT1ynMcEkiqd6w87HXzNTbEKQQNagQai3w0341iCiTUvHIX 0xRy0XeIm+o0DhSUC/INfWGfGXuRCvrnulaPoKri6/oiFNU=
X-Google-Smtp-Source: AH8x224KwPkzXZ3XSzh6FC17YZR36CaqDzHRUg1EVefxmP/C41d4tf26TE+z3Bd4L97eWjd5PTTaa4FUGm/XGWY6ZVI=
X-Received: by 10.159.62.13 with SMTP id o13mr2475315uai.83.1518554803916; Tue, 13 Feb 2018 12:46:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.161.142 with HTTP; Tue, 13 Feb 2018 12:46:23 -0800 (PST)
In-Reply-To: <5acebff2-364c-45f2-c92a-992ba88f47ef@cs.tcd.ie>
References: <151833965150.17077.13014329219354900316@ietfa.amsl.com> <f3712b9f-f7dd-27b1-a9aa-3c7fceb1008e@cs.tcd.ie> <1a280595-e04d-33af-2cfc-454563131481@alvestrand.no> <5acebff2-364c-45f2-c92a-992ba88f47ef@cs.tcd.ie>
From: Justin Uberti <juberti@google.com>
Date: Tue, 13 Feb 2018 12:46:23 -0800
Message-ID: <CAOJ7v-1-W+AKe2nF02m+O8iDovioB4vDdwviNKgOmrLUCxjxiQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Harald Alvestrand <harald@alvestrand.no>, RTCWeb IETF <rtcweb@ietf.org>
Content-Type: multipart/alternative; boundary="089e08245728a9c6e805651e1784"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/BRugWgmwdwH9IrZjzafWyTu7jSo>
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handling-05.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 20:46:55 -0000
On Mon, Feb 12, 2018 at 3:12 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 12/02/18 09:26, Harald Alvestrand wrote: > > Den 12. feb. 2018 00:24, skrev Stephen Farrell: > >> > >> I forget if this was explicitly discussed before. Apologies if > >> it was. > >> > >> I consider the following text ridiculous: > >> > >> "Mode 1 MUST only be used when user consent has > >> been provided;" > >> > >> The reason is that it is not possible for all WebRTC users to > >> ever provide real consent to something dealing with which IP > >> addresses are used in ICE. So assuming consent is just BS, as > >> people cannot provide consent to something they do not understand. > >> (And that won't be explained by their systems or s/w.) > >> > >> For me, that means that this draft will appear pretty much as a > >> fig leaf, intended by us technologists to allow us to pretend > >> we're doing the right thing, when we're not. I think that's not > >> really that useful. > >> > >> Is it really too late to try fix the concept of consent that's > >> (ab)used in WebRTC? > > > > I'm sorry, but I don't agree with you on this point. > > Fair enough. > > > > > The decision to go for these modes was based on the theory that if the > > user has already consented to the near-perfect tracking abilities that > > are implicit in offering a video stream (tracking camera defects, for > > instance), and all the information that can be gleaned from a live audio > > stream, then the idea of protecting the user against tracking by > > restricting access to his IP addresses became of so little value that it > > was moot and was worth trading away for better performance of the > > functions the user asked for. > > I understand that logic. It does however seem to have caused > issues for at least some people who don't agree that the this > leakage is moot. I'm not claiming that all such claims are > well founded, but I think at least some are. > So this document tries to address two sets of issues: a) leakage in contexts when the user is not intentionally using a WebRTC application b) leakage in contexts when the user is intentionally using a WebRTC application The 'consent' discussion is focused around a), with the result being that the ISP address will not be provided when using a VPN unless the user has consented to use of their camera. The WG went back and forth and came to a rough consensus on this being a reasonable solution to the problem. However, b) is also discussed in the document, and browsers could implement their own local policy, e.g., their own default or perhaps a preference to exclusively use Mode 2, regardless of webcam consent. Such an approach wouldn't provide as much nuance as your suggested per-interface permission list, but there already are examples of this (various browser extensions that set the ip-handling mode), and I think we can all admit that asking OSes to indicate which interfaces are OK to use for ICE would be a long-term project. If it would help, I could rework the section around the recommended defaults to make it clear that users or browsers could choose not to use Mode 1, and/or discuss the defaults and how they relate to a)/b) above. > > > > Explanations about what the IP address is for and how it is used doesn't > > matter in this argument. The point is that the user has already agreed > > to a degree of invasion of privacy that a) is perfectly understandable, > > and b) is of significantly more significance than what's being discussed > > here. > > > > Unfortunately the way in which documents depend on each other, and the > > degree to which it's desirable to have each area of concern be described > > on its own, make it hard to state this in the document as explicitly as > > I do when discussing it. > > > > This thread re-raises an issue that has been hashed over many times, and > > I believe the current draft represents the (rough) consensus of the WG > > on this matter. > > I'm willing to accept that I'm in the rough in terms of how > the WG is using the term "consent." > > Nonetheless, if the term can be avoided here, then I still > think that'd be an improvement. > > > > >> > >> Even if so, I don't see any reason to make it worse, via this > >> draft, and especially via the quoted text above, so I'd argue > >> that we ought get rid of that concept from this draft. > >> > >> FWIW, I reckon, if implementers liked it, that there is a > >> better answer here which is to provide an interface (API and/or > >> UI) that allows selected interfaces to be omitted from ICE. > > > > We have that API offered in Javascript already. It's called "skipping > > the candidates". But JS API surface helps the JS provider defend against > > other attackers; it has no benefit when the JS provider *is* the > attacker. > > Right - I wasn't suggesting a JS API but rather one such as > you describe below... > > > > > Non-JS-visible APIs discussed have included the ability to specify > > "corporate" TURN servers in browser configs and requiring that these be > > used. These are typically out of scope for standards; I haven't seen > > anything published on whether or not those have been implemented. > > Nor have I. I agree that specifying such an API in this draft > wouldn't be right. I don't agree that such an interface ought > be out of scope for standardisation, but do agree that figuring > out where to define one could be tricky. > > The interface I have in mind for this case would be something > that'd allow e.g. an operating system UI to state that "tun0 > isn't to be used for ICE until I say otherwise" or that'd > allow a VPN client application to call a browser-specific API > of some sort to do the same. I guess even a browser command > line argument could help some - then the folks who care about > this issue could then have a different icon/button/whatever > for starting a browser for webrtc-without-tun0 or whatever. > > What this draft could do however, is get rid of the idea of > consent, and define the modes as involving all addresses > except those that are omitted due to local policy, e.g. if > such an interface exists and has been used. > > Lastly - the above is only worthwhile if implementers were > likely to provide some way to omit addresses/interfaces > from ICE - if WebRTC clients just weren't ever going to offer > any way to e.g. omit tun0, then there'd be no point in > talking about that. If it was something that could be done > now or in future, then it'd be good to talk about it here > though. > > And FWIW, I still consider talk of user consent for ICE as > ridiculous:-) > > Cheers, > S. > > > > >> > >> S. > >> > >> On 11/02/18 09:00, internet-drafts@ietf.org wrote: > >>> > >>> A New Internet-Draft is available from the on-line Internet-Drafts > directories. > >>> This draft is a work item of the Real-Time Communication in > WEB-browsers WG of the IETF. > >>> > >>> Title : WebRTC IP Address Handling Requirements > >>> Authors : Justin Uberti > >>> Guo-wei Shieh > >>> Filename : draft-ietf-rtcweb-ip-handling-05.txt > >>> Pages : 10 > >>> Date : 2018-02-11 > >>> > >>> Abstract: > >>> This document provides information and requirements for how IP > >>> addresses should be handled by WebRTC implementations. > >>> > >>> > >>> The IETF datatracker status page for this draft is: > >>> https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling/ > >>> > >>> There are also htmlized versions available at: > >>> https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-05 > >>> https://datatracker.ietf.org/doc/html/draft-ietf-rtcweb-ip-handling-05 > >>> > >>> A diff from the previous version is available at: > >>> https://www.ietf.org/rfcdiff?url2=draft-ietf-rtcweb-ip-handling-05 > >>> > >>> > >>> Please note that it may take a couple of minutes from the time of > submission > >>> until the htmlized version and diff are available at tools.ietf.org. > >>> > >>> Internet-Drafts are also available by anonymous FTP at: > >>> ftp://ftp.ietf.org/internet-drafts/ > >>> > >>> _______________________________________________ > >>> rtcweb mailing list > >>> rtcweb@ietf.org > >>> https://www.ietf.org/mailman/listinfo/rtcweb > >>> > >> > >> > >> > >> _______________________________________________ > >> rtcweb mailing list > >> rtcweb@ietf.org > >> https://www.ietf.org/mailman/listinfo/rtcweb > >> > > > > > > -- > PGP key change time for me. > New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018. > NewWithOld sigs in keyservers. > Sorry if that mucks something up;-) > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > >
- [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handlin… internet-drafts
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Stephen Farrell
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Adam Roach
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Stephen Farrell
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Harald Alvestrand
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Stephen Farrell
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Justin Uberti
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Sean Turner
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Stephen Farrell
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Justin Uberti