IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Matthew Kaufman <matthew@matthew.at> Sun, 12 July 2015 04:26 UTC

Return-Path: <matthew@matthew.at>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83381A1A5D for <rtcweb@ietfa.amsl.com>; Sat, 11 Jul 2015 21:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vL-PCT75liS9 for <rtcweb@ietfa.amsl.com>; Sat, 11 Jul 2015 21:26:30 -0700 (PDT)
Received: from mail.eeph.com (mail.eeph.com [IPv6:2001:470:826a:d2::3]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6EC1A1A5B for <rtcweb@ietf.org>; Sat, 11 Jul 2015 21:26:30 -0700 (PDT)
Received: from [IPv6:2001:470:826a:d0:d5fe:6e06:c62e:6418] (unknown [IPv6:2001:470:826a:d0:d5fe:6e06:c62e:6418]) (Authenticated sender: matthew@eeph.com) by mail.eeph.com (Postfix) with ESMTPSA id E4B792A334D for <rtcweb@ietf.org>; Sat, 11 Jul 2015 21:26:29 -0700 (PDT)
Message-ID: <55A1EC76.4030802@matthew.at>
Date: Sat, 11 Jul 2015 21:26:30 -0700
From: Matthew Kaufman <matthew@matthew.at>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
In-Reply-To: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/UOPujos54jjpx7QkQeT7hwrcEOU>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jul 2015 04:26:31 -0000

On 7/11/2015 9:42 AM, Daniel Roesler wrote:
> Howdy all, this is mostly a re-surfacing of the discussion about IP
> address leaking back in April[1], which unfortunately I did not
> discover until recently.
>
> One of the items in the new proposal was "WebRTC already requires
> permission to access getUserMedia. Why not use that permission to
> control interface enumeration?" That item didn't really get discussed
> much in the thread, but I think it's one of the most important issues.
>
> Why? There is now a documented case where a third party on nytimes.com
> is using a fake webRTC datachannel to silently gather user local (and
> potentially "real" ISP) IP addresses.
> ...

On the IPv6 Internet, the IP address you use to reach the web site is 
almost certainly the same as your "local" IP address. There's no 
additional information exposed by allowing an application to discover 
that information directly via JavaScript.

The IPv4 Internet is essentially out of addresses and in the process of 
being retired. I don't believe there's any reason at this point to 
disable functionality in order to improve compatibility with this legacy 
network.

Matthew Kaufman

ps. You can also gather all these addresses for any browser with Flash 
Player installed by asking Flash to connect via RTMFP to a server, 
whereupon it will report the full enumeration of available IPv4 and IPv6 
addresses to that server.

v2.23.0 | Report a Bug | By Email