IETF Logo Mail Archive

Re: [rtcweb] Security implications of host candidates

Harald Alvestrand <harald@alvestrand.no> Tue, 10 July 2018 07:56 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1BCE130DE0 for <rtcweb@ietfa.amsl.com>; Tue, 10 Jul 2018 00:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCygUFylQ6Ka for <rtcweb@ietfa.amsl.com>; Tue, 10 Jul 2018 00:56:26 -0700 (PDT)
Received: from mork.alvestrand.no (mork.alvestrand.no [158.38.152.117]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B98D1294D0 for <rtcweb@ietf.org>; Tue, 10 Jul 2018 00:56:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id DDFC67C0303 for <rtcweb@ietf.org>; Tue, 10 Jul 2018 09:56:24 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at alvestrand.no
Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDDbTN6b2_IJ for <rtcweb@ietf.org>; Tue, 10 Jul 2018 09:56:17 +0200 (CEST)
Received: from [192.168.8.115] (177-49-11.connect.netcom.no [176.11.49.177]) by mork.alvestrand.no (Postfix) with ESMTPSA id B50387C010D for <rtcweb@ietf.org>; Tue, 10 Jul 2018 09:56:17 +0200 (CEST)
To: rtcweb@ietf.org
References: <CAOJ7v-1t_BDEEHmA4eqiS9ksYOOyHUz9LFLhQxs8FhjTdswP5w@mail.gmail.com> <CAOJ7v-3moUqwgxkz1Fek4vy-XV+WpDaO-PsQZEw4ougoCHjLww@mail.gmail.com> <CANN+akZ=Ebw41mA2wEX7-4u6q5WcZbFtM=VMLX4nDK39S=QGOQ@mail.gmail.com> <CAOJ7v-3X2Sj8Yid+i0=xadyH_Hmf4pMOF_iuOV+56Ty8HNnJuw@mail.gmail.com> <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <CAOJ7v-0TGqvp=MUmeEUjYZTcvV37qbYSTV0pFMoi1J0CJQ7Q4A@mail.gmail.com> <CABkgnnXBTC5TERquJPO4dgiAKz037Cm0Omw4YrobtCW=wmGPyQ@mail.gmail.com> <CAOJ7v-0yzvu9POvR4Auokykqc63eju6_CveAzyVpcSd1kkK6Nw@mail.gmail.com> <CABkgnnXL6sdCDt=hjX+7KbP+xYm9jCmgjJNy4CvPPna_0oin=g@mail.gmail.com> <CAOJ7v-33ODGTsmbHEp_U7UdROvuKR7O7bne2_0tX6ivVf-+C5A@mail.gmail.com> <CABkgnnWJM4CE2ZLHYOOd=VYUj7kn5wFMAbeGB1HRyp++nvbPoQ@mail.gmail.com> <CAOJ7v-2WGyHSbSJwgbVVHLs-GO71rMLS2+OTetNyMhb0TM3ZcA@mail.gmail.com> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <CAOJ7v-2dw1coDTpovTrKa__Oak7Jjn5EYgvWtByaRYmxfDDtXw@mail.gmail.com>
From: Harald Alvestrand <harald@alvestrand.no>
Openpgp: preference=signencrypt
Autocrypt: addr=harald@alvestrand.no; prefer-encrypt=mutual; keydata= xsFNBFRpbhYBEADXu8uE7LDQgrEB/zclYiwWRb50FnuJjIdK5Q7t68tSxx+LU8HTfxwOgHo9 vMyQvntoRBOHQZDJzvdAnZj/7vtl9RDfWvhUz+o9jSMyORzrt0kiW2QNICVkOkc0ZbI14Rn8 EjFRinK5m5+PXrng3PwZgK+sQJ1nzUxjE9oGTWClsAEqJw62z7JmzNqaEwAyHoHAZ1JAptSP ak91dUxjueJ2R+rFUBl6ParRZ2de7QKr3rN5Jbu/ikjHsAeTSo0R0BPKbzU23tXXxQ/dADvM V/PZp3hRFmXT7x05Q82O6k6hsGd5fJToBDRrlsC3jwWWhDhFhsWcdYKxFbYUsJVetPrWDtD4 6sjrbsQ+7kWRYgQWvL2EJ0s7QGpLxitopoISUEt0MlCcJhq7ZxiWhGnwM3GgADn+9W+aqwuk Y1tlUbdw0qdHyU0WM0k/yPd/eOghk3PLtlOizg4Q22VqfzNRXd3pwUmVjPYHQS0PwIjzuTEI em03qlVeJ8xn0X9W90E8PEnxZmREZBI90qCcUrxWOywEcLq21eLXurRzwnbY3oi6NxmSedcL xDWFdrVTHfPNNqh8zqXV/z9Ezz+7kSwgRygpG5+/sHfFq/YivoSHJdkL8xDzlNiqYCs8EL4A ipQWlKIuFH1F/pXLmXZlcDExw6aTlAP2rR+rw4Lc7kENZlMMMwARAQABzS9IYXJhbGQgQWx2 ZXN0cmFuZCAoMjAxNCkgPGhhcmFsZEBhbHZlc3RyYW5kLm5vPsLBfgQTAQIAKAUCVO3uHAIb IwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQawFW3omifDRKiA/+KtWpGwNa EaMMjxuVhdvMkQ6cS362iWydVbha03TBf/7HM380nO+2/t4S0kiSRtX89bY9lvrjS5oHd0tZ qS14vwBn8ZKbZl+k/NRiFlNNxhBx1PDRni1lfh/lU4xJraKI17h2h9mVJbMGk0kFuLqDUwMc 18mZZcfJEeUxSVUCndFMab4LQWSvRaqcwGrpDXuCxmWzMxtRjZzS2vkNX0oiBO7/NuEdQZL8 /CM3/GTqEd6kqY5Rkddvhr21KqhDyNT0NYRLgQ4yToTRDeXrHkjDD8cIQJhOHSNm6/3tuHB1 Bunxg1If3oEZxZirTGiuNZfBUAuXXJa//wEqhS+28/iQc6RE4bQXh2TyqtHs1mn3VDeKqbp7 lp31FfQ6GVGUaVfKfhg6UPSeczHTKWG3vX5UL7SOLXyaSniuYDkPIV/YR46GFPNhSsQ9YccU 5zAbn8ZhyONwO7524WjhIHgITiPVnCiSIHQKOw0S3+Ns0/5TIUgEc6+M97vsJTxTOqKfPthj xkHckF7VUFzu9ee6IMupJJp1wxVjpPQpJTjUG2aDnWk+E2OArulIjHER2dj0DEiOuqjjwTQH CKfrsWUMIs6TJ9jIKEfOSVOz5opGKLimQaOJ8Y1NYZKOy7fyJjofcC+dkAIpYBRzQTdDXm0A 4eryQBqLSpRldX4rvnU77i2/ryHOwU0EVGluFgEQAK2r1cmzqfJzOIielYx4OGVWlh3TmGdI mPgYI8yx/W8Uyvwknto7Qm5HaBBy9/33usNiovygYLFr7X5U/+ynXClkpAHaPOzS+bMCybpd UsS9Yq/jPmyq0Tlqn6b1tjSjFwysTiUVRS6nHufRlHQEOyxlYAjmePfjJI85g9J3iOa3eY87 +YSlF/rzhPrlvW0yD1YBGBmtuDdRnd4qSof8pcVmiN91QylbnTO5+/VtQtZydk2couaBHkf+ h0eDlJLB7igJ6Ks0ae2UoUNOBv2F1roQ1jZC8yMPScXygmjsoBSuTUirHatyR7AUiCHNymB+ EdhK4Vl+ZVHdCY9l269g5ocw0y6BZofHpqhE9K3RGBWQjWKTXuOk1fVjLfAum3wQqztYEhlD uKZgfEn7reDuzBq4cqzUe7CI6lZwCU7DnA0Dz2vBaqBhrZb7eKfTqmXddNm/dXmPn1nB554N fxWoxb3L8fHXwLgJiBgxLM6OYhJM51PxwW1qoQM1ax6gu+H101uEE4ZZq+s7c301HqwFwGMi SMmn1oJ7/+OquMkYHjeVAhxRE6blcRH2cmqxFSrpHsHgpXMVyWgTZRZsMmQathzCTUWKf5hC EOzwb4rp/UvU1LUHo1uPqbBafW62VB+iUaFp/zOg69Wo8/Z6urM5m+ldiWTbx+ivxKlPQDEA 332dABEBAAHCwWUEGAECAA8FAlRpbhYCGwwFCQlmAYAACgkQawFW3omifDRKhg//eHcjvxcA ENNe66f5R3ULi5pMbrHGLMGirVX9pHTRf5+5OFaGr8bwXeYkCHpptpxr2Kk/PUzpUWOL2uvL lh7QhPw3+GoEWubXOAgHiQW5iIzkA9wYw/nctZ+5veHN7InVqJ7djhtTN7K9Luj4nDR1T7Vf 61zpCKLlEW6W5MAp4slRVzRiFfaMfMYkxLm6MBxC961j8Lrqx2XNMGugaYh1QzcFYTbFmGKX 5SY4EQsETiB0PeE3IBVtXfiabrk8YX2IuL9BrEgD6GngXTd78hUMnZeqjvnS772bjRgwLCz7 Hab6hQESrFCNXfxzb39y5DLHwXtB/HruYqVD48XvPnNV0UNsWcS+7rtPFMmkd3MTvoAOWjkV zeQHpvF71IlwWginXbkf9aR/QsAbMIQDZWhsd+ma67V6g6KH41r6mNXAgK2JlA1CqgblM7iB hl01vL0V5bkbInZq2sB505Hn1DSc4NoP2WHlwe8Bm8vVG5oyfyPw9ReS9WLVY9w7fK4EKOgk VnOsIQuE0WIPT0Ak+hJ0UigOduuCX7s7NIVaOgWQe1q4Xytgj1RHjg9qlA6eQiTUrAx7Mu7s eliWCFuWsQXoaktVEDjoWVbP9dgozanL5kwWh/sJNtHVQbgu3IG4w8D3QvvOE83+jAdzgOzv pqHJkrqlWu+R9ZqBucZLqjQvQZk=
Message-ID: <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no>
Date: Tue, 10 Jul 2018 09:56:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CAOJ7v-2dw1coDTpovTrKa__Oak7Jjn5EYgvWtByaRYmxfDDtXw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------6CEA4822795294E65788B8A8"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/LOdoO-JYMA3nVqcuTfN0XqYenPg>
Subject: Re: [rtcweb] Security implications of host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 07:56:29 -0000

Thoughts:

- If I want to find out that I'm on the same host as another context
that I can communicate with in *any* fashion, I've got lots of games I
can play.

Example: Measure memory pressure, allocate 1 Gbyte in one context,
measure memory pressure again. This works for any measurement that's
available to both contexts and relates to the whole system.
Example: Measure the local clock's skew compared to some reference clock
(NTP-fashion). If the skew is the same down to the nanosecond, same host
is likely.
Example: Allocate any resource that can only be accessed from one
context at a time. Loop, asking for it, in the other context. Release it
in the first context, and check the timing on when the other one gets it.

In general, anything that can potentially be used as a covert channel
can be used more easily to figure out if we're on the same host.

My conclusion: Defending against this attack isn't worth the trouble.
We've already lost.

- Nevertheless, we're finding that the MDNS mode has implications that
we don't perceive fully yet.

My conclusion: This is an additional mode, not a replacement for one of
the other modes. We should continue to specify both.


On 07/10/2018 02:24 AM, Justin Uberti wrote:
>
>
> On Mon, Jul 9, 2018 at 4:35 PM youenn fablet <yfablet@apple.com
> <mailto:yfablet@apple.com>> wrote:
>
>
>     > The reason for the different treatment is that it could be
>     argued that v6 addresses, being already public and unique, don't
>     constitute a new signal. That makes the tradeoff with datachannel
>     impact less clear.
>
>
>     If they are public, cannot they be discovered and exposed as srflx?
>
>
> That's a good point; I had forgotten about NAT64. v6 STUN isn't widely
> deployed, but if we did want to hide NAT64 v6 addresses, we could make
> this work.
>
> However, if we consider NAT64 to be an entirely temporary situation,
> this may not make sense.
>
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb


-- 
Surveillance is pervasive. Go Dark.

v2.23.0 | Report a Bug | By Email