IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Sun, 12 July 2015 08:49 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1AAB1A8739 for <rtcweb@ietfa.amsl.com>; Sun, 12 Jul 2015 01:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHMsDYYfyFQW for <rtcweb@ietfa.amsl.com>; Sun, 12 Jul 2015 01:49:30 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E88661A702D for <rtcweb@ietf.org>; Sun, 12 Jul 2015 01:49:29 -0700 (PDT)
Received: by wgkl9 with SMTP id l9so5817956wgk.1 for <rtcweb@ietf.org>; Sun, 12 Jul 2015 01:49:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=0SoOUvQLSTVjykbPSECtbf7hHNg+ODqVEv5htxKgBSQ=; b=NgvsPVBO7IiHtOhVh5lZHrLFkBmOr7ObzPs0VesNlGrTsr7duJR+oSWJuEqt5FHDfI ULKAB+jiSPTqlxfcdO/ayPOuWOwgKbbkP7jq87PP49rwpVqm4oSInZQm+0gfCoGRbFvp 4E5guQKYXmMWjHc8oMSpOuSkq6E+VqTkJywc8gOqPFrDrYKq3sLGB/m6Sr9tUJf791qU 2uM40Fmpp+6/jfDyZQziUMrUGE/dullBwPfrkuwxLnIIcjK7ljORqPY9gXde2vqQF3W+ SLtrd8LUK14N4mn0td+vy5tS6UVCSyrQ43k+j6n9ko4yNqhIfb+oO1vIUqekLR8i91pb qGvA==
X-Received: by 10.194.250.69 with SMTP id za5mr21230227wjc.90.1436690968682; Sun, 12 Jul 2015 01:49:28 -0700 (PDT)
Received: from [192.168.0.193] ([95.61.111.78]) by smtp.googlemail.com with ESMTPSA id ck7sm22166178wjc.43.2015.07.12.01.49.27 for <rtcweb@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Jul 2015 01:49:27 -0700 (PDT)
To: rtcweb@ietf.org
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <55A22A1B.4000202@gmail.com>
Date: Sun, 12 Jul 2015 10:49:31 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/FpGreH3bG0tnZGJCUFC8t3F4zg0>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jul 2015 08:49:32 -0000

Hi,

While acknowledging that there might be a potential privacy issue, I 
don't think agree on your analysis on the issue that you have made nor 
your proposal.

The information available in the ICE gathering process and made 
available to the JS app is the following:

-Host candidates, mostly private IP addresses
-Server reflexive candidates, exposing the public IP address as shown by 
the TURN/STUN server
-Relay candidates, hosted by the TURN server

My understanding of the issue is that the leak happens when the 
application is able to retrieve information not already available to it.
That happens either when the user is using a VPN and have multiple 
public IP addresses or using an external PROXY so the http/ws connection 
have a different originator public IP address. AFAIK there should be no 
potential danger in leaking the private IP4 addresses (here you got 
mine, in case you are interested 127.0.0.1 and 192.168.64.2 ;). I have 
not much background on IPv6, so please complete any missing info and how 
would it affect here.

I don't think it is a good idea to tight the solution of requesting user 
permission, to not leak IP information, as theoretically a user could be 
interested in using webrtc (audio/video/datachannels) and still don't 
disclose their public IP address (i.e. forcing all the data to go via a 
TURN server).

One possible solution would be that the browser don't gather/announce 
host&reflexive candidates when an HTTP proxy is set, and only use turn 
relay candidates instead. The second solution (which I think it is 
already discussed somewhere else) would be to allow the user to 
configure a TURN server to override the app settings and force all 
connection to go through it. (Then build a chained-TURN infrastructure 
into TOR and you could have a killer combo ;)

Regarding the issue that the browser becomes a CDN peer, not sure if 
anyone has ever raised the issue before. From my point of view, there is 
not, but in any case, I think it is orthogonal to the leak issue.

Best regards
Sergio



On 11/07/2015 18:42, Daniel Roesler wrote:
> Howdy all, this is mostly a re-surfacing of the discussion about IP
> address leaking back in April[1], which unfortunately I did not
> discover until recently.
>
> One of the items in the new proposal was "WebRTC already requires
> permission to access getUserMedia. Why not use that permission to
> control interface enumeration?" That item didn't really get discussed
> much in the thread, but I think it's one of the most important issues.
>
> Why? There is now a documented case where a third party on nytimes.com
> is using a fake webRTC datachannel to silently gather user local (and
> potentially "real" ISP) IP addresses.
>
> https://twitter.com/incloud/status/619624021123010560
>
> So I'd like to voice my support for adding a consent requirement that
> would prevent this type of silent behavior. A user that is
> purposefully visiting a site that has a legitimate reason for using a
> webRTC data channel will have the necessary context to give consent,
> just like they have to get consent on getUserMedia.
>
> I'm really unclear on why it's so important to have the silent webRTC
> data channel behavior. P2P data connections should be held to the same
> consent requirements just like P2P video and voice connections. In
> addition to the silent third party local IP tracking, a silent P2P
> data channel opens up users to silently becoming nodes in a web-based
> file sharing network. For example, webtorrent[2] can be silently
> embedded on a website so that all of the users to that website start
> seeding content they don't know they are seeding.
>
> Possible fix:
>
> 1. Require user consent before calling the callback on createOffer().
> 2. If the user has already given consent via getUserMedia, the user
> consent requirement is satisfied.
> 3. If there's no previous gUM consent, then ask the user for consent.
>
> This implementation requires no updates to current webRTC demos, since
> you have to wait for a callback on createOffer anyway. I'm open to
> other ways, such as making createDataChannel asynchronous like gUM,
> but that would require updates to existing apps that use
> createDataChannel.
>
> Thanks!
> Daniel Roesler
>
> [1]: https://www.ietf.org/mail-archive/web/rtcweb/current/msg14494.htm
> [2]: https://github.com/feross/webtorrent
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email