IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Tim Panton <tim@phonefromhere.com> Mon, 20 July 2015 12:26 UTC

Return-Path: <tim@phonefromhere.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21F051A7007 for <rtcweb@ietfa.amsl.com>; Mon, 20 Jul 2015 05:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tc7M-Px978Oe for <rtcweb@ietfa.amsl.com>; Mon, 20 Jul 2015 05:26:06 -0700 (PDT)
Received: from smtp001.apm-internet.net (smtp001-out.apm-internet.net [85.119.248.222]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C831A6FFC for <rtcweb@ietf.org>; Mon, 20 Jul 2015 05:26:05 -0700 (PDT)
Received: (qmail 36903 invoked from network); 20 Jul 2015 12:26:04 -0000
X-AV-Scan: clean
X-APM-Authkey: 83769/0 8228
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp001.apm-internet.net with SMTP; 20 Jul 2015 12:26:04 -0000
Received: from zimbra003.verygoodemail.com (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id 1BB4B18A0FBC; Mon, 20 Jul 2015 13:26:01 +0100 (BST)
Received: from limit.westhawk.co.uk (unknown [192.67.4.33]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id EFC2218A0BC0; Mon, 20 Jul 2015 13:26:00 +0100 (BST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_74E349CF-115B-4059-9709-97857FCA9E63"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Tim Panton <tim@phonefromhere.com>
In-Reply-To: <CABkgnnWERM4oxozNCSvRf1o0Wm-d9Bjw=9B+xh_NJ+h6GfBJ6Q@mail.gmail.com>
Date: Mon, 20 Jul 2015 13:26:00 +0100
Message-Id: <7F818FAC-5559-4074-B1FC-EB9516A98FB7@phonefromhere.com>
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com> <CAOJ7v-0UBGtP0-atxP7X4OTj-H6Lost5o42aAS65mA6CEqcQsw@mail.gmail.com> <CA+65OsrhXHK+cRAFLCZFt+34vr8eRhj+CN3DgznUBfSwmWYggw@mail.gmail.com> <CAOJ7v-24VCW6kkn7LOLkqZzhYEU0r=nmd_F7Zns1rnyqKN6xAg@mail.gmail.com> <55A95364.2070806@gmail.com> <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com> <55A96DA3.1040907@gmail.com> <CAOJ7v-1ui7349NzK6NZNRHPbnHWZajctk4cDgMKqRZSv47EYdA@mail.gmail.com> <55A9860D.8030903@gmail.com> <CAOJ7v-3LGd32rnpFVW_U0s3+iVaJXsL4vt_YAo=cyp6YyOArdw@mail.gmail.com> <CALiegfmiS18Jux-kCgOhTKKiyGtMertj6xCegpFrox5NOf9EJg@mail.gmail.com> <CABkgnnW0Tmjqz823vKiF84_u6HasBJC7ERMYCO2HL_NPj5saTA@mail.gmail.com> <CALiegfkpbLy1QXxr-RRF0oOpVv1sWsFeab=vvC4iT4DnPtjKQw@mail.gmail.com> <CABkgnnVWcuhX2NjZgx87L+Uo6df6rEBWW73cxbaX3mu_VfHmCA@mail.gmail.com> <CALiegfkQWAn-jMrjhcDPA3rtowOPVk-S8z3c-jvjpNmjtf=3hA@mail.gmail.com> <CABkgnnWERM4oxozNCSvRf1o0Wm-d9Bjw=9B+xh_NJ+h6GfBJ6Q@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/Zjr59y47RmZS_eW9ljTvmUtuqXY>
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:26:08 -0000

> On 18 Jul 2015, at 02:31, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> 
> On Jul 17, 2015 5:01 PM, "Iñaki Baz Castillo" <ibc@aliax.net <mailto:ibc@aliax.net>> wrote:
> >
> > The point is that you don't even choose the interface. The OS will do for you.
> 
> The OS can - and frequently does - get that wrong. The default route can fail when another might succeed.
> 
> You can't allow that to happen if you care about connecting successfully.
> 
Gulp. Whilst I mostly see the logic - it is wholly unexpected behaviour to the average sys admin. 
Certainly not what I expected.

It strikes me that binding to all interfaces might well give a vector for attackers to map out a company’s internal networks.
It also may restrict the user’s ability to manipulate which medium is used. 

E.g. I’m at home and my chromebook pixel (or firefox tablet) is on wifi, but I’ve left LTE enabled.
I (or the OS) is configured to prefer wifi wen available - but it happens that for a specific peer LTE completes first.
So now my video call goes over LTE without my say-so and with no hint this is happening  - costing me real
money. My only option is to completely disable LTE when I get home  (and lose SMS too) ?

Perhaps we should default to binding to 0.0.0.0 and allow a user config’d preference for more exhaustive searching.

Tim.

v2.23.0 | Report a Bug | By Email