IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Sat, 18 July 2015 09:00 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 155A71AD378 for <rtcweb@ietfa.amsl.com>; Sat, 18 Jul 2015 02:00:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.377
X-Spam-Level:
X-Spam-Status: No, score=-0.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, MALFORMED_FREEMAIL=0.001, MISSING_HEADERS=1.021, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPk83HFguWZB for <rtcweb@ietfa.amsl.com>; Sat, 18 Jul 2015 02:00:35 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90C311AD375 for <rtcweb@ietf.org>; Sat, 18 Jul 2015 02:00:35 -0700 (PDT)
Received: by wgbcc4 with SMTP id cc4so4083627wgb.3 for <rtcweb@ietf.org>; Sat, 18 Jul 2015 02:00:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:cc:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=+oOGvhq+mUuAoHgAb8S6tlaGkzgIZHQ1o7u9otwhC40=; b=NvODEVLBjE0ohDR9YxVbwSUN7go5BnvI2ffutqNgmEAO3LCdGphWEQPuSRzvxhtENt r0r0YHAZQbtFjiXZwPGqzm4SaHwSunGPn3q6dh8AY1admmVj6rpSzdZyo2yL1w8e/NOP 0ozmqmKbBnIEbWqI2fJOYgB0mlYz/SGbyU5syYNAq6FOeNq4WHk7Eee3k9pGJsqXZI1r OGxsen78ImZEPs8Sx2uaOQzEM+c58TQ1foIBEbC2wn2hrbMlruYFcNQeitPQYtsLC6BO T8VD+11BW7QGKZt+0GUVouou9gHvvEjqENlrVSh/ci871W9JEPz8WITFvhiQi1O2e+H2 5dQQ==
X-Received: by 10.194.100.42 with SMTP id ev10mr35382796wjb.50.1437210034248; Sat, 18 Jul 2015 02:00:34 -0700 (PDT)
Received: from [192.168.0.193] ([95.61.111.78]) by smtp.googlemail.com with ESMTPSA id gb16sm1626266wic.5.2015.07.18.02.00.32 for <rtcweb@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 18 Jul 2015 02:00:33 -0700 (PDT)
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com> <CAOJ7v-0UBGtP0-atxP7X4OTj-H6Lost5o42aAS65mA6CEqcQsw@mail.gmail.com> <CA+65OsrhXHK+cRAFLCZFt+34vr8eRhj+CN3DgznUBfSwmWYggw@mail.gmail.com> <CAOJ7v-24VCW6kkn7LOLkqZzhYEU0r=nmd_F7Zns1rnyqKN6xAg@mail.gmail.com> <55A95364.2070806@gmail.com> <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com> <55A96DA3.1040907@gmail.com> <CAOJ7v-1ui7349NzK6NZNRHPbnHWZajctk4cDgMKqRZSv47EYdA@mail.gmail.com> <55A9860D.8030903@gmail.com> <CAOJ7v-3LGd32rnpFVW_U0s3+iVaJXsL4vt_YAo=cyp6YyOArdw@mail.gmail.com> <55A99148.1040105@gmail.com> <CAOJ7v-1cB47793yH+-mWrdU9rNqX=+HadZpbRf3PezXspqLm1A@mail.gmail.com> <55AA1039.7070403@gmail.com>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <55AA15AF.40908@gmail.com>
Date: Sat, 18 Jul 2015 11:00:31 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <55AA1039.7070403@gmail.com>
Content-Type: multipart/alternative; boundary="------------030001080508050405060004"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/RdwA50pnHBWzuGolJFRrvhnJYkY>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2015 09:00:37 -0000

On 18/07/2015 10:37, Sergio Garcia Murillo wrote:
> On 18/07/2015 2:19, Justin Uberti wrote:
>>
>> On Fri, Jul 17, 2015 at 4:35 PM, Sergio Garcia Murillo 
>> <sergio.garcia.murillo@gmail.com 
>> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>>
>>     On 18/07/2015 1:09, Justin Uberti wrote:
>>
>>     Agree, for each HOST candidate, it should send a STUN request to
>>     the turn server from that IP:port. But shouldn't the VPN
>>     configuration prevent the non-VPN-host-candidate STUN request to
>>     be sent via the non-VPN-interface? (i.e. applying default route
>>     based on dest?)
>>
>>
>> Replying to Sergio:
>>
>> Typically with a VPN, the non-VPN interface is locked down so it only 
>> has a single route: to the VPN server. However, split tunnel VPNs 
>> allow the non-VPN interface to route to other addresses (possibly, 
>> for performance reasons), so in this case, the non-VPN-host-candidate 
>> STUN request will be sent successfully from the non-VPN interface.
>>
>> Sometimes this will be desirable: imagine someone working from home 
>> who wants to connect to their corp VPN, but wants to have their video 
>> conferencing traffic not go through the VPN. Sometimes this will not 
>> be desirable, i.e. when the VPN is being used for privacy. This makes 
>> picking a perfect default setting difficult, although we have some 
>> ideas that we are exploring.
>
> Agree, but IMHO in the case of case of split tunnels, shouldn't that 
> issue be solved better if the VPN is configured with the only the 
> routes to the corporate system via the VPN and leave the default route 
> for the non-VPN-interface for all the other traffic?
>
> You know that I am all for fixing connectivity issues in corp networks 
> (my business depends on that!) but in this case I think the privacy of 
> non-WebRTC users that has a VPN configured correctly should be more 
> important than solving the issues of someone willing to do WebRTC but 
> not doing enough to make it work.
>
> Could you share the ideas in the list? As Firefox and Edge might have 
> the same behavior (and issues) I think it could be interesting if we 
> can get to a good common solution and add it to the security draft (if 
> you have not done it already ;)
>

BTW, shouldn't this conversation be crossposted/forwarded to the TRAM 
list as well?

Best regards
Sergio

v2.23.0 | Report a Bug | By Email