IETF Logo Mail Archive

[rtcweb] Please require user consent for data channels

Daniel Roesler <diafygi@gmail.com> Sat, 11 July 2015 16:43 UTC

Return-Path: <diafygi@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A16EB1A9004 for <rtcweb@ietfa.amsl.com>; Sat, 11 Jul 2015 09:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQEdAO9a0IN2 for <rtcweb@ietfa.amsl.com>; Sat, 11 Jul 2015 09:43:00 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16DA01A8FD5 for <rtcweb@ietf.org>; Sat, 11 Jul 2015 09:43:00 -0700 (PDT)
Received: by qkdv3 with SMTP id v3so31278005qkd.3 for <rtcweb@ietf.org>; Sat, 11 Jul 2015 09:42:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=iAt8icM0CXjgOCiZD1Iece40aVG+Y1EXKp31lbPVLhY=; b=U7QboQLfn3pHyG7v81YcX5W3njYp3mWFjJQzCFbdm59Pa7UPdJp2Etqg4al7hzf2o0 UHH/atO2GA3EwGa3JBZafoqxhqiw7VDhCh6kEb65GDxPiJ7Co88V5iJSgsuOj5MhG4H8 qsbNzJnnD238HhWzptcKoEGxTcXbyfkKzTAcTPJgGUL5PPow3uB1AXXkv/UuboZ2qDNO LFb3i7ZmajjSAor/v49M1V9DlyZyup6OH1w9FU0ZqNSDnElW56mc8t1AU02yYl2EHH6T rK9IWqS6noKKF2yv5hfZlfNQDIXETAHJESb8eG/cnRQbeQyV9wO5SGhLvBoWmcrwKLOn 5oyg==
X-Received: by 10.55.31.85 with SMTP id f82mr40764734qkf.88.1436632979319; Sat, 11 Jul 2015 09:42:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.108.130 with HTTP; Sat, 11 Jul 2015 09:42:29 -0700 (PDT)
From: Daniel Roesler <diafygi@gmail.com>
Date: Sat, 11 Jul 2015 09:42:29 -0700
Message-ID: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com>
To: rtcweb@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/Vlk8amPqF7E3Shi9eMxcakmqyv8>
Subject: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2015 16:43:01 -0000

Howdy all, this is mostly a re-surfacing of the discussion about IP
address leaking back in April[1], which unfortunately I did not
discover until recently.

One of the items in the new proposal was "WebRTC already requires
permission to access getUserMedia. Why not use that permission to
control interface enumeration?" That item didn't really get discussed
much in the thread, but I think it's one of the most important issues.

Why? There is now a documented case where a third party on nytimes.com
is using a fake webRTC datachannel to silently gather user local (and
potentially "real" ISP) IP addresses.

https://twitter.com/incloud/status/619624021123010560

So I'd like to voice my support for adding a consent requirement that
would prevent this type of silent behavior. A user that is
purposefully visiting a site that has a legitimate reason for using a
webRTC data channel will have the necessary context to give consent,
just like they have to get consent on getUserMedia.

I'm really unclear on why it's so important to have the silent webRTC
data channel behavior. P2P data connections should be held to the same
consent requirements just like P2P video and voice connections. In
addition to the silent third party local IP tracking, a silent P2P
data channel opens up users to silently becoming nodes in a web-based
file sharing network. For example, webtorrent[2] can be silently
embedded on a website so that all of the users to that website start
seeding content they don't know they are seeding.

Possible fix:

1. Require user consent before calling the callback on createOffer().
2. If the user has already given consent via getUserMedia, the user
consent requirement is satisfied.
3. If there's no previous gUM consent, then ask the user for consent.

This implementation requires no updates to current webRTC demos, since
you have to wait for a callback on createOffer anyway. I'm open to
other ways, such as making createDataChannel asynchronous like gUM,
but that would require updates to existing apps that use
createDataChannel.

Thanks!
Daniel Roesler

[1]: https://www.ietf.org/mail-archive/web/rtcweb/current/msg14494.htm
[2]: https://github.com/feross/webtorrent

v2.23.0 | Report a Bug | By Email