IETF Logo Mail Archive

Re: [rtcweb] Security implications of host candidates

westhawk <thp@westhawk.co.uk> Fri, 06 July 2018 17:53 UTC

Return-Path: <thp@westhawk.co.uk>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11D7130EDC for <rtcweb@ietfa.amsl.com>; Fri, 6 Jul 2018 10:53:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tn8zoweY2mPU for <rtcweb@ietfa.amsl.com>; Fri, 6 Jul 2018 10:53:41 -0700 (PDT)
Received: from smtp001.apm-internet.net (smtp001-out.apm-internet.net [85.119.248.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64BAA130E52 for <rtcweb@ietf.org>; Fri, 6 Jul 2018 10:53:39 -0700 (PDT)
Received: (qmail 34870 invoked from network); 6 Jul 2018 17:53:37 -0000
X-APM-Authkey: 255286/0(159927/0) 1701
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp001.apm-internet.net with SMTP; 6 Jul 2018 17:53:37 -0000
Received: from localhost (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id BBFBF18A0C5E; Fri, 6 Jul 2018 18:53:37 +0100 (BST)
Received: from zimbra003.verygoodemail.com ([127.0.0.1]) by localhost (zimbra003.verygoodemail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6AtjFyKdpUWu; Fri, 6 Jul 2018 18:53:37 +0100 (BST)
Received: from [192.67.4.84] (unknown [192.67.4.84]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id 84A3D18A0203; Fri, 6 Jul 2018 18:53:37 +0100 (BST)
From: westhawk <thp@westhawk.co.uk>
Message-Id: <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6EC6A34E-98CC-4379-B799-B9B46571516A"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Fri, 06 Jul 2018 18:53:36 +0100
In-Reply-To: <CAOJ7v-3X2Sj8Yid+i0=xadyH_Hmf4pMOF_iuOV+56Ty8HNnJuw@mail.gmail.com>
Cc: youenn fablet <youennf@gmail.com>, RTCWeb IETF <rtcweb@ietf.org>, youenn fablet <yfablet@apple.com>
To: Justin Uberti <juberti=40google.com@dmarc.ietf.org>
References: <CAOJ7v-1t_BDEEHmA4eqiS9ksYOOyHUz9LFLhQxs8FhjTdswP5w@mail.gmail.com> <CANN+akZLRdZdexjU44zPCA6vdQR0hVYT17_4P8DefC0JbRL5mA@mail.gmail.com> <CAOJ7v-2JdiMJ9iWE_cL8G7xDM6iekexJL8KLEbz0jD=p7hiGZg@mail.gmail.com> <CANN+akbv2mpyhgV5vxDHKcsA8UPsSEr0bEjJK4xYxtvbkXNA7w@mail.gmail.com> <CAOJ7v-3gHMCxHU02YG3NoqvWHtXgOSWSm+y88GNDW0qc=Sqq=A@mail.gmail.com> <CAOJ7v-3moUqwgxkz1Fek4vy-XV+WpDaO-PsQZEw4ougoCHjLww@mail.gmail.com> <CANN+akZ=Ebw41mA2wEX7-4u6q5WcZbFtM=VMLX4nDK39S=QGOQ@mail.gmail.com> <CAOJ7v-3X2Sj8Yid+i0=xadyH_Hmf4pMOF_iuOV+56Ty8HNnJuw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.8.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/pDs_R7dUn6uf-DvwK6GT85obPxM>
Subject: Re: [rtcweb] Security implications of host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 17:53:46 -0000

I think perhaps we should step back and see if we can block the threat earlier on.

If I understand correctly the issue is that 2 pages of different origin could include 3rd party
javascript that connects to a web service to exchange OA and establish a data channel
between the pages. It then looks at the latency and figures out that the two are on
the same network/device.

Is there a way we can make this prohibitively expensive or inaccurate?

It sorta feels like a same origin policy on the data channel might help.
-Perhaps sign the webRTC certificates with the origin and have DTLS refuse a handshake if
the two ends don’t have a common signature.

I’m obviously very keen to avoid forcing all data channel traffic through TURN.

T.



> On 6 Jul 2018, at 18:15, Justin Uberti <juberti=40google.com@dmarc.ietf.org> wrote:
> 
> Thanks for the new version. I tried a few scenarios and agree that this technique can identify a same-host situation fairly reliably, especially in wireless environments; I typically saw ~2 ms latency for same-host and 5-10 ms latency (with occasional spikes) for over-the-air connections.
> 
> I'm still not quite sure what we should do about it; as noted, public IPv4 + user-agent (http://www.whatsmyua.info/ <http://www.whatsmyua.info/>) is probably unique in the vast majority of cases, and the situation is unavoidable with IPv6.
> 
> 
> 
> On Wed, Jul 4, 2018 at 2:12 PM youenn fablet <youennf@gmail.com <mailto:youennf@gmail.com>> wrote:
> 
> Le mar. 3 juil. 2018 à 14:40, Justin Uberti <juberti@google.com <mailto:juberti@google.com>> a écrit :
> Updated fiddle (outputs to display as well as console): https://jsfiddle.net/juberti/x7a8ut0q/37/ <https://jsfiddle.net/juberti/x7a8ut0q/37/>
> 
> Right, this shows the local loopback latency.
>  
> On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com <mailto:juberti@google.com>> wrote:
> I wasn't able to get that example to work (tried with 2 Chrome and 2 Safari instances, got a setRemoteDescription error both times), but I was able to make a JSFiddle <https://jsfiddle.net/juberti/x7a8ut0q/25/> which does something similar in a single page. At present, even host-host connections were seeing a 2 ms RTT, possibly because of the clamping <https://developer.mozilla.org/en-US/docs/Web/API/Performance/now> that has been applied to performance.now() to deal with Spectre et al.
> 
> I updated https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/ <https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/>, it should hopefully be more intuitive to use this time:
> 1. load the page in one device
> 2. load the link provided by the page on another device
> 3. click 'call' on the first page
> 4. a latency value should appear on the page and be continuously updated
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email