Re: [rtcweb] ICE exposes 'real' local IP to javascript
Göran Eriksson AP <goran.ap.eriksson@ericsson.com> Mon, 02 February 2015 21:14 UTC
Return-Path: <goran.ap.eriksson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48991A9073 for <rtcweb@ietfa.amsl.com>; Mon, 2 Feb 2015 13:14:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HL_3j3kWwwhC for <rtcweb@ietfa.amsl.com>; Mon, 2 Feb 2015 13:14:08 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 973A31A9068 for <rtcweb@ietf.org>; Mon, 2 Feb 2015 13:13:23 -0800 (PST)
X-AuditID: c1b4fb30-f79106d000001184-26-54cfe8710bc4
Received: from ESESSHC010.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 73.B5.04484.178EFC45; Mon, 2 Feb 2015 22:13:21 +0100 (CET)
Received: from ESESSMB209.ericsson.se ([169.254.9.22]) by ESESSHC010.ericsson.se ([153.88.183.48]) with mapi id 14.03.0210.002; Mon, 2 Feb 2015 22:13:20 +0100
From: Göran Eriksson AP <goran.ap.eriksson@ericsson.com>
To: Tim Panton <thp@westhawk.co.uk>, public-webrtc <public-webrtc@w3.org>
Thread-Topic: ICE exposes 'real' local IP to javascript
Thread-Index: AQHQPvMv+BxouWAcQ0+2Cl6Uwu5GKJzdnZZA
Date: Mon, 02 Feb 2015 21:13:20 +0000
Message-ID: <532A6DC6F9C115439C41705FF73D13871D1B5F96@ESESSMB209.ericsson.se>
References: <5B986D58-AB56-4976-8F61-4E80110916A2@westhawk.co.uk>
In-Reply-To: <5B986D58-AB56-4976-8F61-4E80110916A2@westhawk.co.uk>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.149]
Content-Type: multipart/alternative; boundary="_000_532A6DC6F9C115439C41705FF73D13871D1B5F96ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphkeLIzCtJLcpLzFFi42KZGfG3RrfwxfkQg2+fVSx6Py5htFj7r53d Yt37YywOzB5Llvxk8jg6bz+rx8Vp+5kCmKO4bFJSczLLUov07RK4Mvo3z2ItOFFdcXuRYgPj nIouRk4OCQETiXPNl9khbDGJC/fWs4HYQgJHGCV+H7brYuQCshcxSpy62MUEkmAT8JZoaznM AmKLCHhKPLv2EqyBWcBKYvWHLYwgtrCAmcSvw/1A9RxANeYSn5bIQ5QbSRztnQVWziKgInHn 8RtWEJtXwFfizssb7BB7HSWurHkKNoZTwElizdUTYPWMArIS97/fY4FYJS5x68l8JoibBSSW 7DnPDGGLSrx8/I8VwlaSWHt4O1R9vkRbx2JmiF2CEidnPmGZwCg6C8moWUjKZiEpmwX0AbOA psT6XfoQJYoSU7ofskPYGhKtc+ayI4svYGRfxShanFqclJtuZKSXWpSZXFycn6eXl1qyiREY fQe3/DbYwfjyueMhRgEORiUe3gKF8yFCrIllxZW5hxilOViUxHntjA+FCAmkJ5akZqemFqQW xReV5qQWH2Jk4uCUamCsVIuVbeTOrlp7zdVbcoev6lH3p3oSpi12BTKzjjFfvCoS5PnCQEuQ U429lVuOx8jA2jW+Qly+TMLSpeN5/rd3Ske3KAermbEnscoIaCw4/VHaUYh90rYPjjMmhxX1 ZzlsELimsKUsfo5zSXpIvOIvFaEWc70vfySOLit7ENwwg/2Zv1eQEktxRqKhFnNRcSIATeiK YZ8CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/BxUFojx-vM2CVlBBJTPZ8KMHgqs>
Cc: "rtcweb@ietf.org >> rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] ICE exposes 'real' local IP to javascript
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 21:14:14 -0000
From: Tim Panton [mailto:thp@westhawk.co.uk] Sent: den 2 februari 2015 15:17 To: public-webrtc Cc: rtcweb@ietf.org >> rtcweb@ietf.org Subject: ICE exposes 'real' local IP to javascript Firstly- sorry for cross posting - I’m not sure which side of the line this falls. Secondly - if this is covered, please let me know, I don’t recall it cropping up... I’ve been reading worried blogs that WEBRTC in browsers ‘leaks’ the local ‘real’ ip addresses to the javascript. The principle worriers are VPN users e.g https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096 The concern is that this can be done without user notification (DataChannel request) and might be used to identify or finger-print users. Clearly the most vulnerable are Tor users who are on a real routeable IP address or directly on a carrier grade nat (eg android phones etc) where the IP may reveal the identity or location of the user. It seems to me that this concern will be increased in the case of ipv6 deployments (MNOs). Do we need to specify a config option on the browser ‘I’m using a VPN don’t expose my local IP’ Again, sorry if I missed this being hashed to death already. [GAPE:] There are different “challenges” as I see it; a) one to ‘hide’ the information from the involved web sites and peers and b) another from a web site owner perspective, how to safeguard users privacy and security. ‘a’ has been discussed and partly addressed, e.g. in [1] and [2] . For ‘b’, we have Web platform mechanisms CSP [3,4] (and CORS) that the web site admin can use to get help from the UA to do defense-in-depth. Now, I may have missed it but has there been any in-depth discussion about CSP (existing or new directives for the O/A procedure, etc. for as Web site using the WebRTC API nor is there anything mentioned in the latest W3C working draft. Perhaps I’ve missed it- what is the status? Postponed to future work? Göran [1] https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch/ [2] http://tools.ietf.org/html/draft-schwartz-rtcweb-return-04#section-5.3 [3] CSP Level 1.1, http://www.w3.org/TR/CSP/ [4]CSP Level 1.2 (Draft), http://www.w3.org/TR/CSP2/ T Tim Panton - Web/VoIP consultant and implementor www.westhawk.co.uk<http://www.westhawk.co.uk>
- [rtcweb] ICE exposes 'real' local IP to javascript Tim Panton
- Re: [rtcweb] ICE exposes 'real' local IP to javas… Benjamin Schwartz
- Re: [rtcweb] ICE exposes 'real' local IP to javas… richard.vandet
- Re: [rtcweb] ICE exposes 'real' local IP to javas… Göran Eriksson AP
- Re: [rtcweb] ICE exposes 'real' local IP to javas… Bjoern Hoehrmann
- Re: [rtcweb] ICE exposes 'real' local IP to javas… Harald Alvestrand
- Re: [rtcweb] ICE exposes 'real' local IP to javas… Roman Shpount
- Re: [rtcweb] ICE exposes 'real' local IP to javas… Göran Eriksson AP
- Re: [rtcweb] ICE exposes 'real' local IP to javas… Tim Panton new
- Re: [rtcweb] ICE exposes 'real' local IP to javas… 🔓Dan Wing