IETF Logo Mail Archive

Re: [rtcweb] Security implications of host candidates

Feross Aboukhadijeh <feross@feross.org> Sat, 07 July 2018 23:00 UTC

Return-Path: <feross@feross.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0076B130EE9 for <rtcweb@ietfa.amsl.com>; Sat, 7 Jul 2018 16:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=feross-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z23Bu_HNEIUW for <rtcweb@ietfa.amsl.com>; Sat, 7 Jul 2018 16:00:18 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAE43130EE1 for <rtcweb@ietf.org>; Sat, 7 Jul 2018 16:00:17 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id e19-v6so11102023edq.7 for <rtcweb@ietf.org>; Sat, 07 Jul 2018 16:00:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=feross-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OoYZEUgbPHVjqKXMhEO+Y721tzO8H5bsTpoj9UY/Znc=; b=Jyn1uR74gR3C2zOHskh9PDUrX5aCmLWf+UCGv8VWPtJfufrXZMKk7TA0HTYbVPXpxf 9kjuSBYF+hkxQudWJq3CGFP7ob3xfc0v+kztOCJjULF7eqByQb5XgPsp1HQHJFibYAEe ZUAqOmPCGTRYaDwv/r4QUpqqp1AAMVWkwCuUjkZYhrY3ePgwT4Dgob3yfx+wQFDEImis Irhd+rjLt7geFVKMoU1NqI8rZleavjTgOQ0iI/DpY0t3fJ+LrstKDrGR6mRk2TLxtYL3 1XepdTVmqZPMZRyGXdFhA4fTHa9ByurBSMEds/L459W+wMt7xzBDn2dVzXk0fSg2K8MA 0UVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OoYZEUgbPHVjqKXMhEO+Y721tzO8H5bsTpoj9UY/Znc=; b=COmhV4QaLKKa738eIare5l5USl4xp4Sc7U3Z+OkaD7ZbPSDFwejNhQdpdyMFfltsDq G0fam2F9c4H5VrQrWY8DN/+RRmnwyJVZILdIZOtXIVSRVpbRycXS9uH+AUV3Hog113JB G+nAtJAa7IoIEQNs5s/Zb90fytyABTiESFyHvrHXeg+NZ6Q+kAschx9ApTv3HtN8L4nC KggWxYLqvMU1aLXUFCDSiYhz+sfJKqOMj8kzEjAUij6zlBSy3eZj6n+TwMyuSAXwkEUp YlQkYcwCLmsi4Vvf+nyxaJHL2TIQoT3E7W2iwsuqElUvwIJeQXZ0LDjSmr6vVdFROzQR S26w==
X-Gm-Message-State: APt69E3DUJ4aR/ANPhpzyWMC/qTH0RKq/YiH2k5W36woIbdhWy2rVa/8 KJzWXZQWEipQBVGFAoYS19jOupl8gSc=
X-Google-Smtp-Source: AAOMgpcmpB8yTEC11AtMPAUa79Bkeby/jM0JkqjhP8IYKlo4G1yqOyF7EZHgOzM2p7eykBD6QFBhSw==
X-Received: by 2002:a50:87d2:: with SMTP id 18-v6mr4428558edz.1.1531004415925; Sat, 07 Jul 2018 16:00:15 -0700 (PDT)
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com. [209.85.221.45]) by smtp.gmail.com with ESMTPSA id s21-v6sm5461236edr.62.2018.07.07.16.00.14 for <rtcweb@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 Jul 2018 16:00:14 -0700 (PDT)
Received: by mail-wr1-f45.google.com with SMTP id k7-v6so7322594wrq.0 for <rtcweb@ietf.org>; Sat, 07 Jul 2018 16:00:14 -0700 (PDT)
X-Received: by 2002:adf:f8c7:: with SMTP id f7-v6mr3169937wrq.237.1531004413910; Sat, 07 Jul 2018 16:00:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAOJ7v-1t_BDEEHmA4eqiS9ksYOOyHUz9LFLhQxs8FhjTdswP5w@mail.gmail.com> <CANN+akZLRdZdexjU44zPCA6vdQR0hVYT17_4P8DefC0JbRL5mA@mail.gmail.com> <CAOJ7v-2JdiMJ9iWE_cL8G7xDM6iekexJL8KLEbz0jD=p7hiGZg@mail.gmail.com> <CANN+akbv2mpyhgV5vxDHKcsA8UPsSEr0bEjJK4xYxtvbkXNA7w@mail.gmail.com> <CAOJ7v-3gHMCxHU02YG3NoqvWHtXgOSWSm+y88GNDW0qc=Sqq=A@mail.gmail.com> <CAOJ7v-3moUqwgxkz1Fek4vy-XV+WpDaO-PsQZEw4ougoCHjLww@mail.gmail.com> <CANN+akZ=Ebw41mA2wEX7-4u6q5WcZbFtM=VMLX4nDK39S=QGOQ@mail.gmail.com> <CAOJ7v-3X2Sj8Yid+i0=xadyH_Hmf4pMOF_iuOV+56Ty8HNnJuw@mail.gmail.com> <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <CAOJ7v-0TGqvp=MUmeEUjYZTcvV37qbYSTV0pFMoi1J0CJQ7Q4A@mail.gmail.com>
In-Reply-To: <CAOJ7v-0TGqvp=MUmeEUjYZTcvV37qbYSTV0pFMoi1J0CJQ7Q4A@mail.gmail.com>
From: Feross Aboukhadijeh <feross@feross.org>
Date: Sat, 07 Jul 2018 15:59:37 -0700
X-Gmail-Original-Message-ID: <CA+nRABmKwULPcVCHWSjJxmtDcRoPef-7Aq-hoiGn69Z0+b0JGg@mail.gmail.com>
Message-ID: <CA+nRABmKwULPcVCHWSjJxmtDcRoPef-7Aq-hoiGn69Z0+b0JGg@mail.gmail.com>
To: juberti=40google.com@dmarc.ietf.org
Cc: thp@westhawk.co.uk, rtcweb@ietf.org, yfablet@apple.com
Content-Type: multipart/alternative; boundary="0000000000003da6c6057070be81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/yu7KI0Q-LUq5wt4sNrRNcgegwgg>
Subject: Re: [rtcweb] Security implications of host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2018 23:00:21 -0000

> It sorta feels like a same origin policy on the data channel might help.

This would break use cases like WebTorrent, and many other Decentralized
Web projects that utilize the data channel to send data between cooperating
pages hosted on different origins. Also, as Justin pointed out, this
doesn't solve the issue since two pages on the same origin but in different
browsing contexts could still communicate.

Feross

I write at feross.org and tweet as @feross <https://twitter.com/feross>.
I work on WebTorrent <https://webtorrent.io/>, Standard
<https://standardjs.com/>, and Study Notes <https://www.apstudynotes.org/>.


On Fri, Jul 6, 2018 at 12:35 PM Justin Uberti <juberti=
40google.com@dmarc.ietf.org> wrote:

>
>
> On Fri, Jul 6, 2018 at 10:53 AM westhawk <thp@westhawk.co.uk> wrote:
>
>> I think perhaps we should step back and see if we can block the threat
>> earlier on.
>>
>> If I understand correctly the issue is that 2 pages of different origin
>> could include 3rd party
>> javascript that connects to a web service to exchange OA and establish a
>> data channel
>> between the pages. It then looks at the latency and figures out that the
>> two are on
>> the same network/device.
>>
>> Is there a way we can make this prohibitively expensive or inaccurate?
>>
>> It sorta feels like a same origin policy on the data channel might help..
>> -Perhaps sign the webRTC certificates with the origin and have DTLS
>> refuse a handshake if
>> the two ends don’t have a common signature.
>>
>
> The issue is that two pages (probably of the same origin) can determine
> that they are on the same host even when running in different browsing
> contexts (e.g., one being in private browsing mode), by establishing a p2p
> connection and measuring latency.
>
> The key questions are a) whether this gives up information that is not
> already present (e.g., by looking at your own IPv6 address), and b) what
> mitigations might exist.
>
> We'll have some time to discuss in Montreal.
>
>
>> I’m obviously very keen to avoid forcing all data channel traffic through
>> TURN.
>>
>
>>
>>
>> On 6 Jul 2018, at 18:15, Justin Uberti <
>> juberti=40google.com@dmarc.ietf.org> wrote:
>>
>> Thanks for the new version. I tried a few scenarios and agree that this
>> technique can identify a same-host situation fairly reliably, especially in
>> wireless environments; I typically saw ~2 ms latency for same-host and 5-10
>> ms latency (with occasional spikes) for over-the-air connections.
>>
>> I'm still not quite sure what we should do about it; as noted, public
>> IPv4 + user-agent (http://www.whatsmyua.info/) is probably unique in the
>> vast majority of cases, and the situation is unavoidable with IPv6.
>>
>>
>>
>> On Wed, Jul 4, 2018 at 2:12 PM youenn fablet <youennf@gmail.com> wrote:
>>
>>>
>>> Le mar. 3 juil. 2018 à 14:40, Justin Uberti <juberti@google.com> a
>>> écrit :
>>>
>>>> Updated fiddle (outputs to display as well as console):
>>>> https://jsfiddle.net/juberti/x7a8ut0q/37/
>>>>
>>>
>>> Right, this shows the local loopback latency.
>>>
>>>
>>>> On Tue, Jul 3, 2018 at 11:16 AM Justin Uberti <juberti@google.com>
>>>> wrote:
>>>>
>>>>> I wasn't able to get that example to work (tried with 2 Chrome and 2
>>>>> Safari instances, got a setRemoteDescription error both times), but I was
>>>>> able to make a JSFiddle <https://jsfiddle.net/juberti/x7a8ut0q/25/>
>>>>> which does something similar in a single page. At present, even host-host
>>>>> connections were seeing a 2 ms RTT, possibly because of the clamping
>>>>> <https://developer.mozilla.org/en-US/docs/Web/API/Performance/now>
>>>>> that has been applied to performance.now() to deal with Spectre et al.
>>>>>
>>>>
>>> I updated
>>> https://evening-thicket-98446.herokuapp.com/src/content/peerconnection/datachannel-b2b/,
>>> it should hopefully be more intuitive to use this time:
>>> 1. load the page in one device
>>> 2. load the link provided by the page on another device
>>> 3. click 'call' on the first page
>>> 4. a latency value should appear on the page and be continuously updated
>>>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>>
>>
>> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>

v2.23.0 | Report a Bug | By Email