Re: [rtcweb] Please require user consent for data channels

[Tim Panton <thp@westhawk.co.uk>]

> On 18 Jul 2015, at 00:41, Martin Thomson <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote:
> 
> 
> On Jul 17, 2015 4:35 PM, "Iñaki Baz Castillo" <ibc@aliax.net <mailto:ibc@aliax.net>> wrote:
> > What I understand is that the browser should bind on 0.0.0.0 (or ::0)
> > and send the STUN/TURN request,
> 
> That works most of the time, but it is a cheat. What Chrome and Firefox do - bind to reach local interface separately - is the only reliable way to do this. If you bind to 0.0.0.0, you can't handle multiple interfaces correctly, and that reduces the odds of completing ICE with the best result.
> 
> 

Gulp. Whilst I mostly see the logic - it is wholly unexpected behaviour to the average sys admin. 
Certainly not what I expected.

It strikes me that binding to all interfaces might well give a vector for attackers to map out a company’s internal networks.
It also may restrict the user’s ability to manipulate which medium is used. 

E.g. I’m at home and my chromebook pixel (or firefox tablet) is on wifi, but I’ve left LTE enabled.
I (or the OS) is configured to prefer wifi wen available - but it happens that for a specific peer LTE completes first.
So now my video call goes over LTE without my say-so and with no hint this is happening  - costing me real
money. My only option is to completely disable LTE when I get home  (and lose SMS too) ?

Perhaps we should default to binding to 0.0.0.0 and allow a user config’d preference for more exhaustive searching.

Tim.

> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org <mailto:rtcweb@ietf.org>
> https://www.ietf.org/mailman/listinfo/rtcweb

Tim Panton - Web/VoIP consultant and implementor
www.westhawk.co.uk <http://www.westhawk.co.uk/>