IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Randell Jesup <randell-ietf@jesup.org> Thu, 30 July 2015 06:33 UTC

Return-Path: <randell-ietf@jesup.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AEEA1A7008 for <rtcweb@ietfa.amsl.com>; Wed, 29 Jul 2015 23:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qGfaL9KY2ATm for <rtcweb@ietfa.amsl.com>; Wed, 29 Jul 2015 23:33:00 -0700 (PDT)
Received: from ar-005-i191.relay.mailchannels.net (ar-005-i191.relay.mailchannels.net [162.253.144.73]) by ietfa.amsl.com (Postfix) with ESMTP id AA67C1A7005 for <rtcweb@ietf.org>; Wed, 29 Jul 2015 23:32:59 -0700 (PDT)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from r2-chicago.webserversystems.com (ip-10-229-11-165.us-west-2.compute.internal [10.229.11.165]) by relay.mailchannels.net (Postfix) with ESMTPA id 752DD120947 for <rtcweb@ietf.org>; Thu, 30 Jul 2015 06:32:57 +0000 (UTC)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from r2-chicago.webserversystems.com (r2-chicago.webserversystems.com [10.251.34.29]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:2500 (trex/5.5.1); Thu, 30 Jul 2015 06:32:57 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: wwwh|x-authuser|randell@jesup.org
X-MailChannels-Auth-Id: wwwh
X-MC-Loop-Signature: 1438237977668:1014322427
X-MC-Ingress-Time: 1438237977668
Received: from pool-108-36-235-74.phlapa.fios.verizon.net ([108.36.235.74]:63010 helo=[192.168.1.12]) by r2-chicago.webserversystems.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <randell-ietf@jesup.org>) id 1ZKhOh-0004dh-7T for rtcweb@ietf.org; Thu, 30 Jul 2015 01:32:55 -0500
Message-ID: <55B9C503.4050807@jesup.org>
Date: Thu, 30 Jul 2015 02:32:35 -0400
From: Randell Jesup <randell-ietf@jesup.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
In-Reply-To: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AuthUser: randell@jesup.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/U8mTA3120M1VkVRnwe8II8jaHdU>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 06:33:02 -0000

Note: responding to an older message. Also, Mozilla is planning to land 
a number of optional controls for ICE candidate generation and TURN 
server use.  We also plan to add hooks that extensions can use to prompt 
(depending on circumstance) or monitor 'background' use of 
PeerConnections (without user-granted permission).

On 7/11/2015 12:42 PM, Daniel Roesler wrote:
> One of the items in the new proposal was "WebRTC already requires
> permission to access getUserMedia. Why not use that permission to
> control interface enumeration?" That item didn't really get discussed
> much in the thread, but I think it's one of the most important issues.

In addition to Kaufman's answer, I'll add that this would effectively 
make WebRTC unusable for users - and/or would destroy the utility of 
camera access requests (and WebRTC), due to user request-fatigue.  (If 
you ask a user for permission too many times, especially for something 
they asked to do and the question is about something they don't really 
understand, they either a) always hit yes regardless of the question, or 
b) stop using the feature entirely, because it's too annoying.)

Even camera-access requests are arguably a problem - but the alternative 
(granting permanent permission by default) is itself problematic.

> Why? There is now a documented case where a third party on nytimes.com
> is using a fake webRTC datachannel to silently gather user local (and
> potentially "real" ISP) IP addresses.

Sure, and gathering those for normal users is already trivially possible 
*without* webrtc - external IP's are trivial: whatismyipaddress.com, and 
for LAN addresses you can infer the LAN address with high probability by 
trying to load images from likely gateway addresses 
(192.168.0.1/192.168.1.1/10.0.0.1/etc) to find the likely subnet, and 
then scan the subnet using the same trick, recording the time-to-fail 
for each.  That will map the entire list of devices on the LAN, and you 
may be able to infer from it which address is yours (probably the 
fastest failure).  Note the LAN map itself is often a larger fingerprint 
reveal than the LAN IP address alone.  And yes, I've seen real examples 
of these tricks.

The case this doesn't directly cover fully is the "partial VPN" case, 
where someone has a VPN, but *also* still allows routing out directly 
without going through the VPN.  This is already hugely risky if you're 
trying to maintain anonymity - it's a false sense of security.  However 
it is at least a real concern, as is the "hiding at a shelter" case 
discussed a long time ago, where the issue is exposing external IP's to 
a remote caller (not to the service provider or STUN/TURN server).  I 
will note that there are many ways someone can find your external IP 
address unless you're very paranoid and careful (never load images in 
email, etc).

> So I'd like to voice my support for adding a consent requirement that
> would prevent this type of silent behavior. A user that is
> purposefully visiting a site that has a legitimate reason for using a
> webRTC data channel will have the necessary context to give consent,
> just like they have to get consent on getUserMedia.

You could disable DataChannels and have the same problem, note - this 
would have to apply to all PeerConnections (think of a call with 
offerToReceiveAudio - no gUM request would be made).

> I'm really unclear on why it's so important to have the silent webRTC
> data channel behavior. P2P data connections should be held to the same
> consent requirements just like P2P video and voice connections.

They are.

> In addition to the silent third party local IP tracking, a silent P2P
> data channel opens up users to silently becoming nodes in a web-based
> file sharing network. For example, webtorrent[2] can be silently
> embedded on a website so that all of the users to that website start
> seeding content they don't know they are seeding.

Note we don't require permissions to open WebSockets either.  While 
those don't allow P2P access, downloaded JS can use your CPU for bitcoin 
mining (though not efficiently yet), SETI searches, can store data and 
serve it back to the same (or other) servers, etc.

> 1. Require user consent before calling the callback on createOffer().
> 2. If the user has already given consent via getUserMedia, the user
> consent requirement is satisfied.
> 3. If there's no previous gUM consent, then ask the user for consent.

This could be done technically, and would cover the 
offerToReceiveAudio/Video case.  And there are still ways this could be 
abused, though not as easily.

It would cause people using WebRTC for the advantages DataChannels has 
over WebSockets to be annoyed (such as games).  Anything that benefits 
from UDP-like semantics has cause to use WebRTC/DataChannels, even if 
it's just talking directly to the server, and this would put a huge 
roadblock in the face of such utility.   Web-based games are starting to 
make use of DataChannels, and this would be a real problem for them.

Working around this for access back to the server would require some 
variant of CORS (to bypass the request if it's back to the same origin 
you loaded the page from - and that means you'd make it trivial again 
for the site to find your IPs, which was the reason this was brought 
up).  So that's not really useful.

One thing that *could* be done is to create an option to force such 
requests; we can debate what the visibility of such an option should be, 
and what the defaults should be - but a designed-in option opens the 
door for trivial extensions to change the or to provide UI to expose it 
(either in prefs or in main browser chrome or in a modal popup).  We 
could also flip the pref by default in private browsing mode, though 
that might require in-browser UI since random sites may trigger it.


Speaking to the non-fingerprinting aspects of this which had previously 
been discussed:

I understand your concerns, however the IP address exposure and LAN 
exposure is a red herring (and even more so in IPV6 world), except for 
the "I'm hiding" cases (poorly-configured VPN hiding or hiding from 
another user of the service).  We do surface the ability to not only 
know what PeerConnections are in use, but also that have been in use, so 
you can vet if sites are actually making connections. Right now it 
doesn't list unconnected PeerConnections (used for IP address 
harvesting), but it could.

One could also provide some sort of semi-persistent indicator of such 
background usage without requiring the user to interact with it.  (See 
the hooks I mention at the top of this post.)

-- 
Randell Jesup -- rjesup a t mozilla d o t com
Please please please don't emailrandell-ietf@jesup.org!  Way too much spam

v2.23.0 | Report a Bug | By Email