Re: [rtcweb] Please require user consent for data channels
Randell Jesup <randell-ietf@jesup.org> Thu, 30 July 2015 06:33 UTC
Return-Path: <randell-ietf@jesup.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AEEA1A7008 for <rtcweb@ietfa.amsl.com>; Wed, 29 Jul 2015 23:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGfaL9KY2ATm for <rtcweb@ietfa.amsl.com>; Wed, 29 Jul 2015 23:33:00 -0700 (PDT)
Received: from ar-005-i191.relay.mailchannels.net (ar-005-i191.relay.mailchannels.net [162.253.144.73]) by ietfa.amsl.com (Postfix) with ESMTP id AA67C1A7005 for <rtcweb@ietf.org>; Wed, 29 Jul 2015 23:32:59 -0700 (PDT)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from r2-chicago.webserversystems.com (ip-10-229-11-165.us-west-2.compute.internal [10.229.11.165]) by relay.mailchannels.net (Postfix) with ESMTPA id 752DD120947 for <rtcweb@ietf.org>; Thu, 30 Jul 2015 06:32:57 +0000 (UTC)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from r2-chicago.webserversystems.com (r2-chicago.webserversystems.com [10.251.34.29]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:2500 (trex/5.5.1); Thu, 30 Jul 2015 06:32:57 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: wwwh|x-authuser|randell@jesup.org
X-MailChannels-Auth-Id: wwwh
X-MC-Loop-Signature: 1438237977668:1014322427
X-MC-Ingress-Time: 1438237977668
Received: from pool-108-36-235-74.phlapa.fios.verizon.net ([108.36.235.74]:63010 helo=[192.168.1.12]) by r2-chicago.webserversystems.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <randell-ietf@jesup.org>) id 1ZKhOh-0004dh-7T for rtcweb@ietf.org; Thu, 30 Jul 2015 01:32:55 -0500
Message-ID: <55B9C503.4050807@jesup.org>
Date: Thu, 30 Jul 2015 02:32:35 -0400
From: Randell Jesup <randell-ietf@jesup.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
In-Reply-To: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AuthUser: randell@jesup.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/U8mTA3120M1VkVRnwe8II8jaHdU>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 06:33:02 -0000
Note: responding to an older message. Also, Mozilla is planning to land a number of optional controls for ICE candidate generation and TURN server use. We also plan to add hooks that extensions can use to prompt (depending on circumstance) or monitor 'background' use of PeerConnections (without user-granted permission). On 7/11/2015 12:42 PM, Daniel Roesler wrote: > One of the items in the new proposal was "WebRTC already requires > permission to access getUserMedia. Why not use that permission to > control interface enumeration?" That item didn't really get discussed > much in the thread, but I think it's one of the most important issues. In addition to Kaufman's answer, I'll add that this would effectively make WebRTC unusable for users - and/or would destroy the utility of camera access requests (and WebRTC), due to user request-fatigue. (If you ask a user for permission too many times, especially for something they asked to do and the question is about something they don't really understand, they either a) always hit yes regardless of the question, or b) stop using the feature entirely, because it's too annoying.) Even camera-access requests are arguably a problem - but the alternative (granting permanent permission by default) is itself problematic. > Why? There is now a documented case where a third party on nytimes.com > is using a fake webRTC datachannel to silently gather user local (and > potentially "real" ISP) IP addresses. Sure, and gathering those for normal users is already trivially possible *without* webrtc - external IP's are trivial: whatismyipaddress.com, and for LAN addresses you can infer the LAN address with high probability by trying to load images from likely gateway addresses (192.168.0.1/192.168.1.1/10.0.0.1/etc) to find the likely subnet, and then scan the subnet using the same trick, recording the time-to-fail for each. That will map the entire list of devices on the LAN, and you may be able to infer from it which address is yours (probably the fastest failure). Note the LAN map itself is often a larger fingerprint reveal than the LAN IP address alone. And yes, I've seen real examples of these tricks. The case this doesn't directly cover fully is the "partial VPN" case, where someone has a VPN, but *also* still allows routing out directly without going through the VPN. This is already hugely risky if you're trying to maintain anonymity - it's a false sense of security. However it is at least a real concern, as is the "hiding at a shelter" case discussed a long time ago, where the issue is exposing external IP's to a remote caller (not to the service provider or STUN/TURN server). I will note that there are many ways someone can find your external IP address unless you're very paranoid and careful (never load images in email, etc). > So I'd like to voice my support for adding a consent requirement that > would prevent this type of silent behavior. A user that is > purposefully visiting a site that has a legitimate reason for using a > webRTC data channel will have the necessary context to give consent, > just like they have to get consent on getUserMedia. You could disable DataChannels and have the same problem, note - this would have to apply to all PeerConnections (think of a call with offerToReceiveAudio - no gUM request would be made). > I'm really unclear on why it's so important to have the silent webRTC > data channel behavior. P2P data connections should be held to the same > consent requirements just like P2P video and voice connections. They are. > In addition to the silent third party local IP tracking, a silent P2P > data channel opens up users to silently becoming nodes in a web-based > file sharing network. For example, webtorrent[2] can be silently > embedded on a website so that all of the users to that website start > seeding content they don't know they are seeding. Note we don't require permissions to open WebSockets either. While those don't allow P2P access, downloaded JS can use your CPU for bitcoin mining (though not efficiently yet), SETI searches, can store data and serve it back to the same (or other) servers, etc. > 1. Require user consent before calling the callback on createOffer(). > 2. If the user has already given consent via getUserMedia, the user > consent requirement is satisfied. > 3. If there's no previous gUM consent, then ask the user for consent. This could be done technically, and would cover the offerToReceiveAudio/Video case. And there are still ways this could be abused, though not as easily. It would cause people using WebRTC for the advantages DataChannels has over WebSockets to be annoyed (such as games). Anything that benefits from UDP-like semantics has cause to use WebRTC/DataChannels, even if it's just talking directly to the server, and this would put a huge roadblock in the face of such utility. Web-based games are starting to make use of DataChannels, and this would be a real problem for them. Working around this for access back to the server would require some variant of CORS (to bypass the request if it's back to the same origin you loaded the page from - and that means you'd make it trivial again for the site to find your IPs, which was the reason this was brought up). So that's not really useful. One thing that *could* be done is to create an option to force such requests; we can debate what the visibility of such an option should be, and what the defaults should be - but a designed-in option opens the door for trivial extensions to change the or to provide UI to expose it (either in prefs or in main browser chrome or in a modal popup). We could also flip the pref by default in private browsing mode, though that might require in-browser UI since random sites may trigger it. Speaking to the non-fingerprinting aspects of this which had previously been discussed: I understand your concerns, however the IP address exposure and LAN exposure is a red herring (and even more so in IPV6 world), except for the "I'm hiding" cases (poorly-configured VPN hiding or hiding from another user of the service). We do surface the ability to not only know what PeerConnections are in use, but also that have been in use, so you can vet if sites are actually making connections. Right now it doesn't list unconnected PeerConnections (used for IP address harvesting), but it could. One could also provide some sort of semi-persistent indicator of such background usage without requiring the user to interact with it. (See the hooks I mention at the top of this post.) -- Randell Jesup -- rjesup a t mozilla d o t com Please please please don't emailrandell-ietf@jesup.org! Way too much spam
- [rtcweb] Please require user consent for data cha… Daniel Roesler
- Re: [rtcweb] Please require user consent for data… Matthew Kaufman
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Daniel Roesler
- Re: [rtcweb] Please require user consent for data… Lorenzo Miniero
- Re: [rtcweb] Please require user consent for data… Michael Tuexen
- Re: [rtcweb] Please require user consent for data… tim panton
- Re: [rtcweb] Please require user consent for data… Bernard Aboba
- Re: [rtcweb] Please require user consent for data… Matthew Kaufman
- Re: [rtcweb] Please require user consent for data… Timothy B. Terriberry
- Re: [rtcweb] Please require user consent for data… Victor Pascual Avila
- Re: [rtcweb] Please require user consent for data… Daniel Roesler
- Re: [rtcweb] Please require user consent for data… Eric Rescorla
- Re: [rtcweb] Please require user consent for data… Justin Uberti
- Re: [rtcweb] Please require user consent for data… Daniel Roesler
- Re: [rtcweb] Please require user consent for data… Justin Uberti
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Daniel Roesler
- Re: [rtcweb] Please require user consent for data… Justin Uberti
- Re: [rtcweb] Please require user consent for data… Stephen Farrell
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Justin Uberti
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Justin Uberti
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Martin Thomson
- Re: [rtcweb] Please require user consent for data… Martin Thomson
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Justin Uberti
- Re: [rtcweb] Please require user consent for data… Martin Thomson
- Re: [rtcweb] Please require user consent for data… Harald Alvestrand
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Roman Shpount
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Simon Perreault
- Re: [rtcweb] Please require user consent for data… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Please require user consent for data… Harald Alvestrand
- Re: [rtcweb] Please require user consent for data… Sergio Garcia Murillo
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Tim Panton
- Re: [rtcweb] Please require user consent for data… Simon Perreault
- Re: [rtcweb] Please require user consent for data… Tim Panton
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Simon Perreault
- Re: [rtcweb] Please require user consent for data… Simon Perreault
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Tim Panton
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Simon Perreault
- Re: [rtcweb] Please require user consent for data… Daniel Roesler
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Simon Perreault
- Re: [rtcweb] Please require user consent for data… Roman Shpount
- Re: [rtcweb] Please require user consent for data… Jonathan Lennox
- Re: [rtcweb] Please require user consent for data… Roman Shpount
- Re: [rtcweb] Please require user consent for data… Roman Shpount
- Re: [rtcweb] Please require user consent for data… Iñaki Baz Castillo
- Re: [rtcweb] Please require user consent for data… Tim Panton
- Re: [rtcweb] Please require user consent for data… Ted Hardie
- Re: [rtcweb] Please require user consent for data… Roman Shpount
- Re: [rtcweb] Please require user consent for data… Ted Hardie
- Re: [rtcweb] Please require user consent for data… Randell Jesup
- Re: [rtcweb] Please require user consent for data… Roman Shpount