IETF Logo Mail Archive

Re: [rtcweb] WGLC for draft-ietf-rtcweb-ip-handling

Justin Uberti <juberti@google.com> Thu, 29 March 2018 22:03 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B615E12E893 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2018 15:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xTReLNmEyaBR for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2018 15:03:14 -0700 (PDT)
Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69FCB12EAA9 for <rtcweb@ietf.org>; Thu, 29 Mar 2018 15:03:11 -0700 (PDT)
Received: by mail-ua0-x22f.google.com with SMTP id q12so4497366uae.4 for <rtcweb@ietf.org>; Thu, 29 Mar 2018 15:03:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YrGmcgqBNglOJkfCbs9s/eyT0HJYfIAsCLbom4vaeYc=; b=jdGKqX5NaheTciPK5okEMVmjRxLv47sTH7yROMTXGWWME8tO1tOQ1mS/oZ2zseH+22 HbqQsy15Y1nQQmLgIKkhvic3eoh9nRLvKqYULB6MTn/vN8fzjnXX5vI3ZEvBbOCMpwpG a0yw8vb7NqdlD5WrUMbCpqWrNZvaZMzEuRIR8kTrK4NUV6NV9yeraWB8rTAxs2+a3hIv l9f4b/AN446o3qn2iLVR3YAMb1gOfEq4rlA7HOIx3g40YjLe0fxFnw6r6ZD+GGZYbv4M nWMXOkr1yxVY5rRUq/oOiRZF5bhTQ1S9rid8zI6jgQv2sHQ7EEg8I1+q8uljts1pER1p EmQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YrGmcgqBNglOJkfCbs9s/eyT0HJYfIAsCLbom4vaeYc=; b=ov2kehitccFcG7wUNbPoSCpIb/Zw73fJy1YfpuRcP+uB2OWl3aEp0A4u0tf+XH5nw6 DxiSVN9szWvgEiQKl78Y8fDu/tcb5AHV7/RowNhFd1XjsW18r0wQmK+IsWJxjIhDUiPJ xDy/8EewRxXnuSkM0a0YB/xXNwmymua+yg1TlNmBYo+rzmJ6dtbWLDOUBCDQgNZgZCKC 6eJkes8iZg1a0Enj2YaYTzTUFShMD/CEr+QBL+fxjk4iNgGWMciFBk2/GNAfuHocVUL2 DM80T8xOxpPMEUGXq2lRzhhBs7OjfZ/dxTLx0kVMvsELPQHVTDvAKrmW5Qs9Hj3DDTIh JMIg==
X-Gm-Message-State: AElRT7GOh7ALXYd6KpB/0y8GieQTi959pDo/BJmMjQsYcUj0QK53n0N9 0z0ebKOiH/vbI5Z64xaXzTKtaZbz7xztx1S04Y25AQ==
X-Google-Smtp-Source: AIpwx489eTj2BeSnwJI9edvEx5tsKdxACGRM3PvpVJrFXI1DwBZoKE4D2TCnWgi6/funGm6nDfBbUb2qxa+P12P8Pis=
X-Received: by 10.176.95.93 with SMTP id z29mr6750270uah.87.1522360989944; Thu, 29 Mar 2018 15:03:09 -0700 (PDT)
MIME-Version: 1.0
References: <1D5B431C-801E-4F8C-8026-6BCBB72FF478@sn3rd.com> <63282b84-4493-3fcb-a95f-4afe17d96bb6@cs.tcd.ie> <CAOJ7v-1gTq+EEjb+-q-T-pABBW--rpNGegoj_d2_7f7AKGksCA@mail.gmail.com> <403713b4-31d4-9085-d639-d3f60935ed5a@cs.tcd.ie> <CAOJ7v-0ED-FK=JmSxBJYfM=PCdgY6kmbiq6aFLcP7OXugG07EA@mail.gmail.com> <e6938f7d-542d-736b-0a3d-9269d7dd06e5@cs.tcd.ie> <CAOW+2dv1ORz2tEkgDTvdM1DtgyOdgXqKU30T4QhLAp1NT+rirg@mail.gmail.com>
In-Reply-To: <CAOW+2dv1ORz2tEkgDTvdM1DtgyOdgXqKU30T4QhLAp1NT+rirg@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Thu, 29 Mar 2018 22:02:58 +0000
Message-ID: <CAOJ7v-0tCcg3FdzyfSJ6Y3JaH-TivFf-Sey6+tD8BANJKsjqtQ@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, RTCWeb IETF <rtcweb@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fe14c0724770568944a27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/RnO7f603wxZtZa5_hh-c1U6CEQY>
Subject: Re: [rtcweb] WGLC for draft-ietf-rtcweb-ip-handling
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 22:03:24 -0000

Correct, and I think there are two distinct scenarios being conflated in
this discussion.
1) Web pages who aren't using WebRTC for communication, and therefore don't
call getUserMedia (Bernard's scenario)
2) Web pages who are using WebRTC for communication, and typically do call
getUserMedia.

This document attempts to prevent sites in scenario 1) from having access
to all IP addresses, and I believe does so successfully.

There is of course the question of whether sites in scenario 2) should have
access to all IP addresses. Some observations:
1) This problem is not specific to web browsers. Existing mobile apps
already have access to all IP addresses.
2) The 'right' behavior here is situation-dependent. As an example, should
a user on a VPN send their media traffic over the VPN or not? One can
construct a valid rationale for either position.
3) In the event where specific behavior is desired, this document does
provide specific modes to allow browsers or extensions to select the
desired behavior.

As such, I believe a full treatment of scenario 2 is out of scope of this
document, and the existing options presented in the document are sufficient.


On Thu, Mar 29, 2018 at 2:29 PM Bernard Aboba <bernard.aboba@gmail.com>
wrote:

> Stephen Farrell said:
>
> "So it's all a bit of a fig leaf IMO."
>
> [BA] Correct me if I'm missing something, but there are a class of abusive
> applications that don't even pretend to support realtime communications and
> don't call getUserMedia (probably so as not to give the user an inkling of
> what they are up to).
>
> So while there is some leeway to argue about the meaning of "consent" for
> an application that actually utilizes the WebRTC APIs for communications
> between browsers, there are a class of abusive applications that don't
> fulfill even the most liberal definition of "consent".
>
> On Wed, Mar 7, 2018 at 2:51 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie
> > wrote:
>
>>
>>
>> On 07/03/18 22:35, Justin Uberti wrote:
>> >>> In addition, while gUM consent is given as an example, it is not
>> >> normative.
>> >>>    Mode 1 MUST only be used when user consent has been provided.  The
>> >>>    details of this consent are left to the implementation; one
>> potential
>> >>>    mechanism is to tie this consent to getUserMedia consent.
>> >> Sure. OTOH, IIUC, that is what's done in web browsers so it kind
>> >> of really is normative, in practice. Again, apologies if there
>> >> are other things done in browsers.
>> >>
>> > I believe that the Brave browser uses Mode 4 in its private browsing
>> mode.
>> > https://github.com/brave/browser-laptop/issues/260
>>
>> Interesting, didn't know that and good to see.
>>
>> OTOH, still the vast majority of web browsers will I assume
>> do mode 1 for the vast majority of webrtc calls.
>>
>> So it's a bit of a fig leaf IMO.
>>
>> S.
>>
>>
>>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>>
>>
>

v2.23.0 | Report a Bug | By Email