IETF Logo Mail Archive

Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handling-05.txt

Sean Turner <sean@sn3rd.com> Wed, 14 February 2018 03:06 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D53ED129511 for <rtcweb@ietfa.amsl.com>; Tue, 13 Feb 2018 19:06:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6qAYgm9H_jr for <rtcweb@ietfa.amsl.com>; Tue, 13 Feb 2018 19:06:11 -0800 (PST)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF4DC12708C for <rtcweb@ietf.org>; Tue, 13 Feb 2018 19:06:11 -0800 (PST)
Received: by mail-qt0-x233.google.com with SMTP id u6so6108878qtg.13 for <rtcweb@ietf.org>; Tue, 13 Feb 2018 19:06:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5AJ1tGjf8E1cn6LfUyfcz7fciEDQpJX1p8eK1imCAss=; b=OyYsYnoHi/mc0MTn1NjcLRETXpjc87R4Aqi6/NN7CHSANnIOMwL24X68Wvm2GsFH0g TfaOFSIIOo+i2IfeFTCNb9GX8BOQSEwd+QUU1gUmhCgjBPEG0P9hazaOkEJSfpOjFy6J jCC/JDeArLwr/csj+a4icET9my5je/lx6NjUU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5AJ1tGjf8E1cn6LfUyfcz7fciEDQpJX1p8eK1imCAss=; b=Jns50CTIrGs1ARaSDpTYL92F1mJGDLI/UxJOke9zZ01pH/9xyO7NkllJceGHpPIQFj 0AlC+XZ9GE2yzqrjYbztc1/5vFTwkmyjw5RwOXkSE2fh13k1Sx2uI3j5E4RL0Wn/Ea+e a5dyIZclzDN2/5M57XiFKNEjS/mLqFUx5CX8CwZH5HA5mSkK2nHwjEFd1g13QvmYyEbf A88IxcuWnWcC4n1zaqL+aoY1O0DeUyk/amVSEr5MoTw+8B0YqtJFkfhe2mhRrU+SGmMX Vb+4Ih3isfktDmIRz7RykWK++6mH03LTtzMd7A91saGqbrCnu7yAcwvAPEtu2ydfdbIq SCog==
X-Gm-Message-State: APf1xPDxJBMDXM1XR1NrwW5ixkG5MtDPGcv76y977upTyWx7MfmyU4Oj 3QFkUBBq4gkMSmO4j9S++9ufslSrFHE=
X-Google-Smtp-Source: AH8x226VAvYjMskj598itdzpn4sU2OFIB6Y3Z1vptDmlW79Bd2NIwpzo+0R29nAVcpYVlmf0fggAlg==
X-Received: by 10.237.50.226 with SMTP id z89mr5352175qtd.290.1518577570626; Tue, 13 Feb 2018 19:06:10 -0800 (PST)
Received: from [172.16.0.18] ([96.231.218.194]) by smtp.gmail.com with ESMTPSA id d74sm7446040qka.68.2018.02.13.19.06.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Feb 2018 19:06:09 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAOJ7v-1-W+AKe2nF02m+O8iDovioB4vDdwviNKgOmrLUCxjxiQ@mail.gmail.com>
Date: Tue, 13 Feb 2018 22:06:06 -0500
Cc: RTCWeb IETF <rtcweb@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FBBAE2EF-7BCF-4DFD-B760-F054971BFCF9@sn3rd.com>
References: <151833965150.17077.13014329219354900316@ietfa.amsl.com> <f3712b9f-f7dd-27b1-a9aa-3c7fceb1008e@cs.tcd.ie> <1a280595-e04d-33af-2cfc-454563131481@alvestrand.no> <5acebff2-364c-45f2-c92a-992ba88f47ef@cs.tcd.ie> <CAOJ7v-1-W+AKe2nF02m+O8iDovioB4vDdwviNKgOmrLUCxjxiQ@mail.gmail.com>
To: Justin Uberti <juberti@google.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/yYut0_hfibOWf4UiJQWYvvQ-Ook>
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handling-05.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2018 03:06:14 -0000


> On Feb 13, 2018, at 15:46, Justin Uberti <juberti@google.com> wrote:
> 
> 
> 
> On Mon, Feb 12, 2018 at 3:12 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Hiya,
> 
> On 12/02/18 09:26, Harald Alvestrand wrote:
> > Den 12. feb. 2018 00:24, skrev Stephen Farrell:
> >>
> >> I forget if this was explicitly discussed before. Apologies if
> >> it was.
> >>
> >> I consider the following text ridiculous:
> >>
> >>    "Mode 1 MUST only be used when user consent has
> >>     been provided;"
> >>
> >> The reason is that it is not possible for all WebRTC users to
> >> ever provide real consent to something dealing with which IP
> >> addresses are used in ICE. So assuming consent is just BS, as
> >> people cannot provide consent to something they do not understand.
> >> (And that won't be explained by their systems or s/w.)
> >>
> >> For me, that means that this draft will appear pretty much as a
> >> fig leaf, intended by us technologists to allow us to pretend
> >> we're doing the right thing, when we're not. I think that's not
> >> really that useful.
> >>
> >> Is it really too late to try fix the concept of consent that's
> >> (ab)used in WebRTC?
> >
> > I'm sorry, but I don't agree with you on this point.
> 
> Fair enough.
> 
> >
> > The decision to go for these modes was based on the theory that if the
> > user has already consented to the near-perfect tracking abilities that
> > are implicit in offering a video stream (tracking camera defects, for
> > instance), and all the information that can be gleaned from a live audio
> > stream, then the idea of protecting the user against tracking by
> > restricting access to his IP addresses became of so little value that it
> > was moot and was worth trading away for better performance of the
> > functions the user asked for.
> 
> I understand that logic. It does however seem to have caused
> issues for at least some people who don't agree that the this
> leakage is moot. I'm not claiming that all such claims are
> well founded, but I think at least some are.
> 
> So this document tries to address two sets of issues:
> a) leakage in contexts when the user is not intentionally using a WebRTC application
> b) leakage in contexts when the user is intentionally using a WebRTC application
> 
> The 'consent' discussion is focused around a), with the result being that the ISP address will not be provided when using a VPN unless the user has consented to use of their camera. The WG went back and forth and came to a rough consensus on this being a reasonable solution to the problem.
> 
> However, b) is also discussed in the document, and browsers could implement their own local policy, e.g., their own default or perhaps a preference to exclusively use Mode 2, regardless of webcam consent.
> 
> Such an approach wouldn't provide as much nuance as your suggested per-interface permission list, but there already are examples of this (various browser extensions that set the ip-handling mode), and I think we can all admit that asking OSes to indicate which interfaces are OK to use for ICE would be a long-term project.
> 
> If it would help, I could rework the section around the recommended defaults to make it clear that users or browsers could choose not to use Mode 1, and/or discuss the defaults and how they relate to a)/b) above.

Justin: Since you offered ;) Go ahead and take a stab at it.

Everybody: Hoping this won’t be too controversial since it appeared that we were getting very close to being done with this draft.

> > Explanations about what the IP address is for and how it is used doesn't
> > matter in this argument. The point is that the user has already agreed
> > to a degree of invasion of privacy that a) is perfectly understandable,
> > and b) is of significantly more significance than what's being discussed
> > here.
> >
> > Unfortunately the way in which documents depend on each other, and the
> > degree to which it's desirable to have each area of concern be described
> > on its own, make it hard to state this in the document as explicitly as
> > I do when discussing it.
> >
> > This thread re-raises an issue that has been hashed over many times, and
> > I believe the current draft represents the (rough) consensus of the WG
> > on this matter.
> 
> I'm willing to accept that I'm in the rough in terms of how
> the WG is using the term "consent."
> 
> Nonetheless, if the term can be avoided here, then I still
> think that'd be an improvement.

Stephen: The only thing I’d add to Harald's point is that this draft hasn’t yet been through WGLC, but the draft has basically had the same recommendations since before it was a WG draft (the draft was adopted about two years ago).  Namely, Mode 1 (enumerate all addresses) is recommended only if the user has done something explicit else Mode 2 (default route + associated local addresses) is recommended.  While Justin might be reworking the section around the recommended defaults, I don’t think the recommended defaults are going to change (unless of course there’s a pretty substantial outcry that’s going to upset what appeared to be the emerging rough consensus).

spt

v2.23.0 | Report a Bug | By Email