IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Fri, 17 July 2015 21:03 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A26D21A3B9B for <rtcweb@ietfa.amsl.com>; Fri, 17 Jul 2015 14:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nq02oU5odajo for <rtcweb@ietfa.amsl.com>; Fri, 17 Jul 2015 14:03:25 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B1B1A21A0 for <rtcweb@ietf.org>; Fri, 17 Jul 2015 14:03:25 -0700 (PDT)
Received: by widic2 with SMTP id ic2so47805868wid.0 for <rtcweb@ietf.org>; Fri, 17 Jul 2015 14:03:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type; bh=dHwmIVAEUt2V89D1RceGIwfMIUKnPAQWAfg2P6a6rYQ=; b=A4iDb2oo/TmHuXV6JXjc+aAg6wOMGQuOS8gcUq4R6hXxGB+th8l3woVWwfWQ3mdR7Q 7zJORVLwqewMg2sKQUwxgWD2QgW7WhHNMYQzNR/M1JzR1n8ld8IxNoYztcUe/ySHdL2I iPj324XZ41bIZEZFvBwzHp/bZjuqGVH+aFTLLJnQLfN/eglj5DrWPPQ7pTh6Hh0XDlVz pW87uAOQ0J9+0pG1tcmSIfWVdQ/UWckHZFD1MWzj2n7LssNbeh0ZT8D2z9KV4ay7RQR0 kiT+5nftTu3rnVY3GVerCe0Ii202pvRwP31OzsNflgq23B5Djz2vRwLYrEacjz7GupZn I9GA==
X-Received: by 10.180.23.66 with SMTP id k2mr509572wif.85.1437167003779; Fri, 17 Jul 2015 14:03:23 -0700 (PDT)
Received: from [192.168.0.193] ([95.61.111.78]) by smtp.googlemail.com with ESMTPSA id ck7sm19863546wjc.43.2015.07.17.14.03.22 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Jul 2015 14:03:22 -0700 (PDT)
To: Justin Uberti <juberti@google.com>
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com> <CAOJ7v-0UBGtP0-atxP7X4OTj-H6Lost5o42aAS65mA6CEqcQsw@mail.gmail.com> <CA+65OsrhXHK+cRAFLCZFt+34vr8eRhj+CN3DgznUBfSwmWYggw@mail.gmail.com> <CAOJ7v-24VCW6kkn7LOLkqZzhYEU0r=nmd_F7Zns1rnyqKN6xAg@mail.gmail.com> <55A95364.2070806@gmail.com> <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <55A96DA3.1040907@gmail.com>
Date: Fri, 17 Jul 2015 23:03:31 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020600030101070606090505"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/ncmbogIYlQWyqkCrpQ36i5Fzdto>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 21:03:27 -0000

Hi Justin,

Thanks for pointing that out, can you point me were in RFC5245 is that 
behavior described? I fail to find it.

The only references I found about multihoming are about HOST candidates, 
performing connectivity checks and priorization of candidates, but I 
cannot find a reference on sending STUN request to the TURN/STUN server 
via all the available interfaces in order to retrieve the server 
reflexive candidates that is where the leak is originating. Please 
correct me again if I am wrong.

Anyway, this raises another attack vector, as the IP may be leaked not 
directly via the ICE reflexive candidates, but via the connectivity 
checks. That is, the "malicious" server may just not get the IP via the 
server reflexive candidates, but doing an SDP O/A with remote ice 
candidates of a fake ICE server, that correlates the STUN connectivity 
checks with the web visit (via ice username for example).  They don't 
even need a STUN/TURN server deployed.

Best regards
Sergio


On 17/07/2015 22:25, Justin Uberti wrote:
> What you describe is the proper operation of RFC5245, so this isn't a 
> Chrome implementation decision (Firefox behaves the same way, and I 
> assume Edge will as well).
>
> However, we have been thinking about whether refinements to the 
> behaviors specified in RFC5245 are warranted in the web context.
>
> On Fri, Jul 17, 2015 at 12:11 PM, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>
>     If I have understood the looong thread correctly, the issue is
>     that Chrome overrides the OS default route and sends the STUN
>     requests via all available interfaces, therefore leaking the IP
>     addresses on the process.
>
>     AFAIK, that behavior is a Chrome implementation decision (wrong in
>     my opinion, but understandable) and it is not specified on WebRTC,
>     so while acknowledging the importance of the issue, this is not
>     something that we should discuss in this mailing list, except if
>     we decide that we should decide to explicitly forbid this behavior
>     and add it to the security draft.
>
>     I will send a reply to discuss-webrtc to continue the discussion
>     from a Chrome point of view.
>
>     Best regards
>     Sergio
>
>
>     On 17/07/2015 20:36, Justin Uberti wrote:
>>     The title is somewhat inaccurate, but
>>     https://code.google.com/p/chromium/issues/detail?id=457492 is the
>>     current bug for this.
>>     See also
>>     https://code.google.com/p/chromium/issues/detail?id=333752, from
>>     which the above bug was spun out.
>>
>>     On Fri, Jul 17, 2015 at 11:22 AM, Daniel Roesler
>>     <diafygi@gmail.com <mailto:diafygi@gmail.com>> wrote:
>>
>>         On Fri, Jul 17, 2015 at 11:04 AM, Justin Uberti
>>         <juberti@google.com <mailto:juberti@google.com>> wrote:
>>         >
>>         > This is already possible using non-WebRTC technologies,
>>         e.g. web sockets. As
>>         > such, I don't think that permission should be needed to
>>         create a data
>>         > channel, or receive (but not send) media.
>>         >
>>
>>         The big difference is that Web Sockets starts off with an HTTP
>>         request, so it can be filtered by various plugins (PrivacyBadger,
>>         uBlock, Ghostery, etc.). WebRTC is invisible to those
>>         services since
>>         it does not have any HTTP requests at all. In fact, is WebRTC
>>         the only
>>         browser standard (i.e. not flash) that can fire off a DNS request
>>         that's not (at least at first) for an HTTP address[1]? Lacking an
>>         initial HTTP request makes it impossible for plugins to
>>         selectively
>>         filter these requests, so they have to fall back to an
>>         all-or-nothing
>>         config setting approach (which hurts WebRTC adoption in
>>         general)[2][3].
>>
>>         > That said, I agree that WebRTC should not allow drive-by
>>         harvesting of IP
>>         > addresses, and we intend to make changes to Chrome to
>>         prevent this.
>>
>>         Great to hear! Thanks! Is there a bug that is tracking this?
>>
>>
>>         [1]:
>>         https://www.w3.org/wiki/Privacy/IPAddresses#Using_wildcard_DNS_entries_as_persistent_identifiers
>>         [2]: https://github.com/EFForg/privacybadgerfirefox/issues/394
>>         [3]: https://github.com/gorhill/uBlock/releases/tag/0.9.9.3
>>
>>         Daniel
>>
>>
>>
>>
>>     _______________________________________________
>>     rtcweb mailing list
>>     rtcweb@ietf.org <mailto:rtcweb@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/rtcweb
>
>
>     _______________________________________________
>     rtcweb mailing list
>     rtcweb@ietf.org <mailto:rtcweb@ietf.org>
>     https://www.ietf.org/mailman/listinfo/rtcweb
>
>

v2.23.0 | Report a Bug | By Email