IETF Logo Mail Archive

Re: [rtcweb] Security implications of host candidates

Manuel Kasper <manuel.kasper@threema.ch> Tue, 17 July 2018 11:27 UTC

Return-Path: <manuel.kasper@threema.ch>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA861130E57 for <rtcweb@ietfa.amsl.com>; Tue, 17 Jul 2018 04:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zA1TYmmszjXA for <rtcweb@ietfa.amsl.com>; Tue, 17 Jul 2018 04:27:13 -0700 (PDT)
Received: from mail.threema.ch (mail.threema.ch [5.148.175.219]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B5AC130DDB for <rtcweb@ietf.org>; Tue, 17 Jul 2018 04:27:13 -0700 (PDT)
X-Footer: dGhyZWVtYS5jaA==
Received: from localhost ([127.0.0.1]) by mail.threema.ch with ESMTPSA (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)) for rtcweb@ietf.org; Tue, 17 Jul 2018 13:27:11 +0200
From: Manuel Kasper <manuel.kasper@threema.ch>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Tue, 17 Jul 2018 13:27:08 +0200
References: <CAOJ7v-1t_BDEEHmA4eqiS9ksYOOyHUz9LFLhQxs8FhjTdswP5w@mail.gmail.com> <CAOJ7v-3moUqwgxkz1Fek4vy-XV+WpDaO-PsQZEw4ougoCHjLww@mail.gmail.com> <CANN+akZ=Ebw41mA2wEX7-4u6q5WcZbFtM=VMLX4nDK39S=QGOQ@mail.gmail.com> <CAOJ7v-3X2Sj8Yid+i0=xadyH_Hmf4pMOF_iuOV+56Ty8HNnJuw@mail.gmail.com> <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <CAOJ7v-0TGqvp=MUmeEUjYZTcvV37qbYSTV0pFMoi1J0CJQ7Q4A@mail.gmail.com> <CABkgnnXBTC5TERquJPO4dgiAKz037Cm0Omw4YrobtCW=wmGPyQ@mail.gmail.com> <CAOJ7v-0yzvu9POvR4Auokykqc63eju6_CveAzyVpcSd1kkK6Nw@mail.gmail.com> <CABkgnnXL6sdCDt=hjX+7KbP+xYm9jCmgjJNy4CvPPna_0oin=g@mail.gmail.com> <CAOJ7v-33ODGTsmbHEp_U7UdROvuKR7O7bne2_0tX6ivVf-+C5A@mail.gmail.com> <CABkgnnWJM4CE2ZLHYOOd=VYUj7kn5wFMAbeGB1HRyp++nvbPoQ@mail.gmail.com> <CAOJ7v-2WGyHSbSJwgbVVHLs-GO71rMLS2+OTetNyMhb0TM3ZcA@mail.gmail.com> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <CAOJ7v-2dw1coDTpovTrKa__Oak7Jjn5EYgvWtByaRYmxfDDtXw@mail.gmail.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com> <CAOJ7v-3CF5hXxOGkufzdP6VqrvjHW6BhnB1mjVnHjwv8pcP7KA@mail.gmail.com>
To: rtcweb@ietf.org
In-Reply-To: <CAOJ7v-3CF5hXxOGkufzdP6VqrvjHW6BhnB1mjVnHjwv8pcP7KA@mail.gmail.com>
Message-Id: <B61EE161-5F15-4859-A2D6-270BE4121E3E@threema.ch>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/VfdbebY28U1H8JiVMPBCwLKmeXQ>
Subject: Re: [rtcweb] Security implications of host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 11:27:58 -0000

Disclosure: I work for Threema GmbH, whose main product is the "Threema" messenger (threema.ch), and would like to provide our view of the consequences of this proposal.

We use WebRTC data channels for our web client to establish a connection between the app on a smartphone and a browser on a desktop/laptop. Most of the time, the person who is using the web client connects to the same network with both devices.

The ability to send data (messages, audio, video, files, images) from and to the app without relaying it via a server is the main reason why we use WebRTC.

We have around 5 million users, and a significant portion of them use our enterprise product in corporate networks. Some of them will have IPv6 disabled, and our experience also shows that NAT loopback support is scarcer than one might think.

Because of that, I think the current proposal is a threat for our use case and would severely impact our users' experience. We are definitely on privacy's side (it is in fact our main focus along with end-to-end encryption), but at present we don't have an appropriate way to request consent from the user. Unless that is ensured by this document, the default mode should not be weakened.

- Manuel


> On 12 Jul 2018, at 01:01, Justin Uberti <juberti@google.com> wrote:
> 
> Thanks for the suggestions on intermediate modes. I think we're converging
> on the following potential replacements for Mode 2:
> 2b) IPv4 mDNS + RFC 4941 IPv6
> 2d) mDNS of any private IPv4/IPv6  + any public v4/v6 (as determined via
> STUN query)
> 
> 2d) is basically your 2c), but exposing any IPs that would already be
> visible to the server. This would basically give all the privacy benefits
> of Mode 3 (although, unlike Mode 3, it does allow host-host connections).
> 
> Your 2a) probably makes more sense to consider as a derivative of Mode 1,
> essentially a 1b), since it exposes all interfaces. I don't know if that
> provides a lot of value, since Mode 1 already requires trust, but I'd be
> open to arguments for this.
> 
> I think the main outstanding question is what we want the final Mode 2 to
> be (2b vs 2d), and the key sub-question is whether we think there's enough
> benefit in hiding private RFC 4941 addresses. However, we may need
> experimental data to properly consider the tradeoffs.
> 
>

v2.23.0 | Report a Bug | By Email