IETF Logo Mail Archive

Re: [rtcweb] ICE exposes 'real' local IP to javascript

Benjamin Schwartz <bemasc@google.com> Mon, 02 February 2015 14:58 UTC

Return-Path: <bemasc@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534911A1AFB for <rtcweb@ietfa.amsl.com>; Mon, 2 Feb 2015 06:58:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BC_e4REWbi59 for <rtcweb@ietfa.amsl.com>; Mon, 2 Feb 2015 06:58:12 -0800 (PST)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E35F1A1A73 for <rtcweb@ietf.org>; Mon, 2 Feb 2015 06:58:12 -0800 (PST)
Received: by mail-vc0-f169.google.com with SMTP id hq12so14729503vcb.0 for <rtcweb@ietf.org>; Mon, 02 Feb 2015 06:58:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vlCTwVeA9NhMLD61Rn0n2FU997wYaJ8fgn5acGMG1n8=; b=ITNsz9vzCGFF8lMfSGXzR8qcNv/TEOSrOwD09/clMJu6f/YhZwHH757kqugqwKaoH5 Mo89t/zq/bLVn+/VxfMRFWuaKw4Ts3kspBLvNAircVJZbejP2U1jqMRvjAhISrbkEBY7 q7ezBuO/2cvmY6+CKSIlbUVccO7AbJ665pZKXbmpSiZyU2rF2Wh008dTswi9+9Xp3pKu 7I1r5t55EmRndqju6D9v90JVSc1+Fd0atfonocGotKUteQsaKuvyUz7IDhM3xLMbyICP fiZgRTf/LVFr/caTlfkoftMbDcTATAunk26hcWcJvoMyfdOt6tqvF2SuDNw4LEAvhhmX WREA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vlCTwVeA9NhMLD61Rn0n2FU997wYaJ8fgn5acGMG1n8=; b=MqYIHjfaQVXVzCZSrF6/Rm8sWtWk/kSdWWHUwtcTniaGUyx1PDKRq4FI3iY7t1aGSs f2AZL0cQjlu2Gt/sCzlfI1m0YSIl8pteupAVqmQgdyTV+S1VGzCYCBMXp7d+TAQZW/xV YzRUu+RI6R0Fxo0ErsO3VN+Jc/K/HczS4/Do1uoNz135ZE4Dwz4mBxjvH43DEqKCkiA6 7GUJTT1ylCY4pIgTaxnA4N0IxJ8CWzPwHNcFmfkwZdqvmWXXiEv6q+YgHJoj3L5l0sdP Gl9uQeVedwfXqDIvOiEO919BF66Ri0tKRaWY6/0LyIYOeOQDNk0A4PgGcxKyx/lAyWpO YodQ==
X-Gm-Message-State: ALoCoQnOIbvNqMWj8eaM8Da3ApFjrLeS2BtLgRJ4buqiA459Sdm4fmgVvSsm7Xuup3vOmyVHCFeV
MIME-Version: 1.0
X-Received: by 10.52.156.130 with SMTP id we2mr5782793vdb.72.1422889091729; Mon, 02 Feb 2015 06:58:11 -0800 (PST)
Received: by 10.52.54.194 with HTTP; Mon, 2 Feb 2015 06:58:11 -0800 (PST)
In-Reply-To: <5B986D58-AB56-4976-8F61-4E80110916A2@westhawk.co.uk>
References: <5B986D58-AB56-4976-8F61-4E80110916A2@westhawk.co.uk>
Date: Mon, 02 Feb 2015 09:58:11 -0500
Message-ID: <CAHbrMsAydrfvHc22tOP2pk0nEiN4hrTwmFEfUFLq7fuWyXhgfA@mail.gmail.com>
From: Benjamin Schwartz <bemasc@google.com>
To: Tim Panton <thp@westhawk.co.uk>
Content-Type: multipart/alternative; boundary="089e01634ccade239c050e1c2ea0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/aZNMCRL70_LjnajcHT24RqwMxUc>
X-Mailman-Approved-At: Mon, 02 Feb 2015 09:05:00 -0800
Cc: "rtcweb@ietf.org >> rtcweb@ietf.org" <rtcweb@ietf.org>, public-webrtc <public-webrtc@w3.org>
Subject: Re: [rtcweb] ICE exposes 'real' local IP to javascript
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 15:08:39 -0000

Standards-wise: You might want to have a look at
http://tools.ietf.org/html/draft-schwartz-rtcweb-return-04#section-5.3 (a
draft which I'm hoping will be adopted by the rtcweb group).

Reality-wise:
Tor is not a VPN.  It acts as a SOCKS5 proxy.  Tor doesn't support UDP, and
none of the major browsers support SOCKS5-UDP anyway, so it's not much use
for WebRTC.  Tor Browser Bundle, IMHO the only responsible way to use Tor,
has disabled WebRTC from the beginning, precisely to avoid revealing the
user's IP address.

VPN users who want to be safe should set permissions such that the browser
can only access the VPN, not the physical network.  (I don't personally
know how to do this, especially on all different operating systems!)

On Mon, Feb 2, 2015 at 9:16 AM, Tim Panton <thp@westhawk.co.uk> wrote:

> Firstly- sorry for cross posting - I’m not sure which side of the line
> this falls.
> Secondly - if this is covered, please let me know, I don’t recall it
> cropping up...
>
> I’ve been reading worried blogs that WEBRTC in browsers ‘leaks’ the local
> ‘real’ ip addresses to the javascript.
> The principle worriers are VPN users e.g
> https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096
> The concern is that this can be done without user notification
> (DataChannel request) and might be used to
> identify or finger-print users. Clearly the most vulnerable are Tor users
> who are on a real routeable IP address
> or directly on a carrier grade nat (eg android phones etc) where the IP
> may reveal the identity or location of the user.
>
> It seems to me that this concern will be increased in the case of ipv6
> deployments (MNOs).
>
> Do we need to specify a config option on the browser ‘I’m using a VPN
> don’t expose my local IP’
>
> Again, sorry if I missed this being hashed to death already.
>
> T
>
> Tim Panton - Web/VoIP consultant and implementor
> www.westhawk.co.uk
>
>
>
>

v2.23.0 | Report a Bug | By Email