IETF Logo Mail Archive

Re: [rtcweb] WGLC for draft-ietf-rtcweb-ip-handling

Balwant Bisht <balwant.bisht@gmail.com> Thu, 29 March 2018 08:29 UTC

Return-Path: <balwant.bisht@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B21F12708C for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2018 01:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HWSxkFzIe43c for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2018 01:29:56 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56B3D1241F3 for <rtcweb@ietf.org>; Thu, 29 Mar 2018 01:29:56 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id o23so17485534wmf.0 for <rtcweb@ietf.org>; Thu, 29 Mar 2018 01:29:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nDb2wtDkNIQp3VSdXDgvq+tMuId6Mpzqc68gz/I9s4o=; b=Hermms16+lyg+5NYuuQ4xU9Jy9onWpyMwTMof5E3WkJuuv/npv9AZ/C+nQzzUInofc CNClBnwH0mSi0XGrpH7PzCZzriJwRyZPEE0VvBNMhKlicyxvpRApcehD4Qj3X9YK0gK4 O9BYQjS4eZRQGldj7xiPS1a+nU5Nlx7/p9s+rA5JFxpAXcFUir7WpJqavhGYMNYRNAGa 8r1QbVpJjiJO6AcU7TTV0o9DABMsJzHttskOHh5e6JNXgOVZdKkpO5AoteTP8A7hM5L1 YyKOyuxxIUCZroGks+J11XrsZM4WoFchfoRLeksbdw316PMmrhf0PyOYT+no14zJgwCh 9rEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nDb2wtDkNIQp3VSdXDgvq+tMuId6Mpzqc68gz/I9s4o=; b=pRG0u2JVCVYt5A0IprF5595gWzkJUsi2NAjYvAqJQEg/2BGc0ZNSNCPpiLStBZVPHu yfyI4WXF8ksNks5Bc4qr4w+1wH7ueY/KiZPoAXiTlhuv1X12hygqhBhmUJCSEV4UAnIS vnAttam5oinpb3mCEmX3CYX1TZkr6GbaAYrNFJ/zai2TB1uzkc/NaO6Dw/LIL56evxOv PO3LikidtXDP0JPylPUINGvkKzbuOUNqnUw6CerDz+rqj9jw+QfyN8ycgC52ByxAFvKo q2QljZ+xjuU85Mk2Ob1eNVCvwSVM29jXUuhIOIfK0aEncggUvxF3+s+fHt5T5EuMhrMU oGrw==
X-Gm-Message-State: AElRT7GMrlR28jGIWq5xSxikVyJSSvg/OupGyWJyQd+JyDqBsKoMGn6z foAvIYFahz27sUa4lUVCz4c6bKVtNswwnzRJo8k=
X-Google-Smtp-Source: AIpwx48G/HofxBd3brMFlTldaC0f13D7m/iZwGaACqRJqjY3kb6kW8RoNvipSA5eHKj5VSCujhE6513MA9qOn/6dzdY=
X-Received: by 10.80.183.144 with SMTP id h16mr6460959ede.96.1522312194743; Thu, 29 Mar 2018 01:29:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.150.3 with HTTP; Thu, 29 Mar 2018 01:29:34 -0700 (PDT)
In-Reply-To: <CAOJ7v-3FhLkEDonvwP7LuCYekbTC9YSeknkzTQxTB6WbvGnWUw@mail.gmail.com>
References: <1D5B431C-801E-4F8C-8026-6BCBB72FF478@sn3rd.com> <8C7113E7-1D06-4FF4-BDD8-9F40E9C94D86@iii.ca> <F313E146-CDAC-4127-8A39-BEA5B8C65327@westhawk.co.uk> <CAOJ7v-3FhLkEDonvwP7LuCYekbTC9YSeknkzTQxTB6WbvGnWUw@mail.gmail.com>
From: Balwant Bisht <balwant.bisht@gmail.com>
Date: Thu, 29 Mar 2018 13:59:34 +0530
Message-ID: <CABZ311Bi_DvX11XE3SB9AFX=9fuPCd7PpUqttzeZAMF-BU-RpQ@mail.gmail.com>
To: Justin Uberti <juberti=40google.com@dmarc.ietf.org>
Cc: Tim Panton <thp@westhawk.co.uk>, RTCWeb IETF <rtcweb@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0ddf329ae317056888edbf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/MU7B_ZJAZB5QuL9LYJyLarpTwIs>
Subject: Re: [rtcweb] WGLC for draft-ietf-rtcweb-ip-handling
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 08:29:59 -0000

All VPN setup are not for hiding location, but some are setup to allow
remote users to connect to company network. If MCU server is inside VPN and
browser didn't get VPN candidates then its not possible to establish
PeerConnection with MCU. Also linking it with device access is bad, e.g. if
participants joining a webinar and they didn't want to give access to
devices, they will not be able to join at all.



Regards
Balwant Bisht


On Thu, Mar 29, 2018 at 10:09 AM, Justin Uberti <
juberti=40google.com@dmarc.ietf.org> wrote:

> Note that this VPN behavior is not unique to web browsers. Mobile
> applications are free to use whichever interface they prefer without
> needing any additional user permissions.
>
>
> On Wed, Mar 28, 2018 at 7:15 AM westhawk <thp@westhawk.co.uk> wrote:
>
>> I tend to agree with Cullen here, this is an issue. (As I said when I
>> first raised it way back when).
>>
>> It is bad practice to ask a user one (clear) question and the deduce
>> their agreement to some other things that aren’t (at least to the user)
>> related.
>>
>> Conversely an infinite series of questions before each call isn’t going to
>> work either,
>>
>> With that in mind, perhaps we are hanging off the wrong existing consent.
>> Given that the VPN users in question are (in practice) trying to hide
>> their location,
>> perhaps that’s the dialog we should hang off instead.
>>
>> “This page would like to use your location: allow, deny”
>> would also unlock public IP address access.
>>
>> Tim.
>>
>>
>> > On 27 Mar 2018, at 17:57, Cullen Jennings <fluffy@iii.ca> wrote:
>> >
>> > Theses comments are sent as an individual contributor.
>> >
>> > Let me start by saying I think I am in the rough on the consensus of
>> this draft and I expect the draft to be sent to the IESG with no changes.
>> For the record, as I have said at the floor microphone in the past, I don't
>> agree with the draft.
>> >
>> > This draft results in the situation where implementations decide if
>> they should reveal the users location to the website by asking a questions
>> of the form "Will you allow example.com to use your camera?" If the user
>> says that is OK to use their camera, in many cases they have also allowed
>> the website to get their location via the IP address. From a user point of
>> view, I think this is awful, There are many reasons I might allow a website
>> I do not trust to know my location to access my camera - for example, I
>> have a black cover over my camera and the website won't work unless I say
>> yes to this request. Or a webcam worker where the job involves revealing
>> video but revealing the locations they work at may put them at risk of
>> serious harm. Or I am in a domestic abuse shelter and want to have a call
>> but revealing may location puts me at risk of physical harm. I do not think
>> the IETF should in any way endorse this extremely misleading form of
>> consent. It is simply not consent. I realize this would be good for
>> companies that are primary funded by by web advertising for which location
>> is valuable.
>> >
>> > There are several people who's opinion I deeply respect that have
>> looked at this problem in detail. They somewhat agree the above is a
>> problem, but they argue it is better than any alternative design. I
>> disagree with this.The root of the problem we are trying to solve with this
>> draft is that some VPNs are configured to send some packets over the VPN
>> while at the same time some other packets are not sent over the VPN. If you
>> use a VPN configured like this to try and hide your location, WebRTC can
>> end up sending packets not over the VPN and that can reveal your location.
>> I think the right solution to this problem is to acknowledge this is a VPN
>> problem, not a WebRTC problem. If you are using a VPN to hide your
>> location, do not allow that VPN to send packets outside the VPN. I will
>> note most VPNs support this.
>> >
>> > John Morris words from [1], more or less sum up about how I feel about
>> this - just reverse W3C and IETF.
>> >
>> >    "By not actually building privacy into the specification, the W3C has
>> >    both missed a significant opportunity to improve user privacy on the
>> >    Web, and it has harmed the efforts of another standards body -- the
>> >    IETF -- to protect location privacy and to improve the privacy
>> >    paradigm for Internet services."
>> >
>> > From a process point of view: 1) I have had time to express this
>> opinion in the rtcweb WG meetings and it has been discussed. My read of the
>> consensus in the room is that I am in the rough on this topic  2) I don't
>> think the rtcweb WG is the WG in the IETF with the most expertise in VPNs
>> >
>> > Thanks, Cullen
>> >
>> >
>> > As FYI, the actual questions that are asked by today's browsers are
>> roughly the following:
>> >
>> > In firefox: "Will you allow webrtc.github.io to use your camera?"
>> >
>> > In chrome: "webrtc.github.io wants to use your camera"
>> >
>> > In safari: "Allow webrtc.github.io to use your camera?"
>> >
>> > In edge: "Let webrtc.github.io use your webcam?”
>> >
>> >
>> > [1] https://lists.w3.org/Archives/Public/public-geolocation/
>> 2009Jul/0020.html
>> >
>> >
>> >
>> >> On Mar 7, 2018, at 7:49 PM, Sean Turner <sean@sn3rd.com> wrote:
>> >>
>> >> All,
>> >>
>> >> This is the WGLC for the "WebRTC IP Address Handling Requirements”
>> draft available @ https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-
>> handling/.  Please review the draft and send your comments to this list
>> by 2359UTC on 30 March 30 2017.
>> >>
>> >> Thanks,
>> >> C/T/S
>> >> _______________________________________________
>> >> rtcweb mailing list
>> >> rtcweb@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/rtcweb
>> >
>> > _______________________________________________
>> > rtcweb mailing list
>> > rtcweb@ietf.org
>> > https://www.ietf.org/mailman/listinfo/rtcweb
>>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>>
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>
>

v2.23.0 | Report a Bug | By Email