Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handling-01.txt
Philipp Hancke <fippo@goodadvice.pages.de> Tue, 26 April 2016 08:11 UTC
Return-Path: <fippo@goodadvice.pages.de>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D82912D0E3 for <rtcweb@ietfa.amsl.com>; Tue, 26 Apr 2016 01:11:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a91Ds41M4Bnc for <rtcweb@ietfa.amsl.com>; Tue, 26 Apr 2016 01:11:12 -0700 (PDT)
Received: from lo.psyced.org (lost.in.psyced.org [188.40.42.221]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6067C12D0D3 for <rtcweb@ietf.org>; Tue, 26 Apr 2016 01:11:12 -0700 (PDT)
Received: from [192.168.10.131] (ip84-247-137-40.breiband.no [84.247.137.40]) (authenticated bits=0) by lo.psyced.org (8.14.3/8.14.3/Debian-9.4) with ESMTP id u3Q8BBIf023633 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for <rtcweb@ietf.org>; Tue, 26 Apr 2016 10:11:13 +0200
To: rtcweb@ietf.org
References: <20160320223116.8946.76840.idtracker@ietfa.amsl.com>
From: Philipp Hancke <fippo@goodadvice.pages.de>
Message-ID: <571F229C.6090303@goodadvice.pages.de>
Date: Tue, 26 Apr 2016 10:11:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <20160320223116.8946.76840.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/z_YVMi-ALYJF6Vv-syDINq2ceBA>
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handling-01.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 08:11:14 -0000
Am 20.03.2016 um 23:31 schrieb internet-drafts@ietf.org: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Real-Time Communication in WEB-browsers of the IETF. > > Title : WebRTC IP Address Handling Recommendations > Authors : Justin Uberti > Guo-wei Shieh > Filename : draft-ietf-rtcweb-ip-handling-01.txt > Pages : 8 > Date : 2016-03-20 I stumbled upon a (now deleted) stackoverflow posting yesterday in which obfuscated code "used webrtc" to hack the users router. Basically webrtc was used to get the local ip address from which the routers ip is inferred. Then a default admin account is tried. It turns out the idea is not knew, I heard from some former coworkers that they used this in penetration testing before. But it has now reached stackoverflow which means there will soon be rumors and all kinds of "webrtc allows hacking your router" stories. The principal problem here is default passwords. WebRTC makes it slightly easier by removing the need to run a series of http requests to find out the routers ip. Should this be mentioned as an example in #1 of the problem statement?
- [rtcweb] I-D Action: draft-ietf-rtcweb-ip-handlin… internet-drafts
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Justin Uberti
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Justin Uberti
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Sean Turner
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Drage, Keith (Nokia - GB)
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Ted Hardie
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Drage, Keith (Nokia - GB)
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Harald Alvestrand
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Stephan Wenger
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Suhas Nandakumar
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Martin J. Dürst
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… John Leslie
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Barry Leiba
- [rtcweb] Uppercase question for RFC2119 words John Leslie
- Re: [rtcweb] Uppercase question for RFC2119 words Barry Leiba
- Re: [rtcweb] Uppercase question for RFC2119 words Barry Leiba
- Re: [rtcweb] Fuzzy words [was Uppercase question … Barry Leiba
- Re: [rtcweb] Uppercase question for RFC2119 words Scott O. Bradner
- Re: [rtcweb] Uppercase question for RFC2119 words Scott O. Bradner
- Re: [rtcweb] Uppercase question for RFC2119 words John C Klensin
- [rtcweb] Fuzzy words [was Uppercase question for … Brian E Carpenter
- Re: [rtcweb] Fuzzy words [was Uppercase question … Eric Gray
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Cullen Jennings (fluffy)
- Re: [rtcweb] Fuzzy words [was Uppercase question … Scott Bradner
- Re: [rtcweb] Fuzzy words [was Uppercase question … Scott Bradner
- Re: [rtcweb] Fuzzy words [was Uppercase question … Ben Campbell
- Re: [rtcweb] Fuzzy words [was Uppercase question … HANSEN, TONY L
- Re: [rtcweb] Fuzzy words [was Uppercase question … Tony Finch
- Re: [rtcweb] Fuzzy words [was Uppercase question … Loa Andersson
- Re: [rtcweb] Fuzzy words [was Uppercase question … Dave Cridland
- Re: [rtcweb] Fuzzy words [was Uppercase question … Heather Flanagan (RFC Series Editor)
- Re: [rtcweb] Fuzzy words [was Uppercase question … Dave Cridland
- Re: [rtcweb] Fuzzy words [was Uppercase question … HANSEN, TONY L
- Re: [rtcweb] Fuzzy words [was Uppercase question … John C Klensin
- Re: [rtcweb] Fuzzy words [was Uppercase question … Eliot Lear
- Re: [rtcweb] Fuzzy words [was Uppercase question … Brian E Carpenter
- Re: [rtcweb] Fuzzy words [was Uppercase question … Scott O. Bradner
- Re: [rtcweb] Fuzzy words [was Uppercase question … Brian E Carpenter
- Re: [rtcweb] Fuzzy words [was Uppercase question … Brian E Carpenter
- Re: [rtcweb] Fuzzy words [was Uppercase question … Dave Cridland
- Re: [rtcweb] Uppercase question for RFC2119 words Adam Roach
- Re: [rtcweb] Uppercase question for RFC2119 words Dave Crocker
- Re: [rtcweb] Uppercase question for RFC2119 words Adam Roach
- Re: [rtcweb] Uppercase question for RFC2119 words Eliot Lear
- Re: [rtcweb] Uppercase question for RFC2119 words Ben Campbell
- Re: [rtcweb] Uppercase question for RFC2119 words Dave Cridland
- Re: [rtcweb] Uppercase question for RFC2119 words Adam Roach
- Re: [rtcweb] Uppercase question for RFC2119 words Barry Leiba
- Re: [rtcweb] Uppercase question for RFC2119 words Dave Crocker
- Re: [rtcweb] Uppercase question for RFC2119 words Pat Thaler
- Re: [rtcweb] Uppercase question for RFC2119 words Ole Jacobsen
- Re: [rtcweb] Uppercase question for RFC2119 words Stephan Wenger
- Re: [rtcweb] Uppercase question for RFC2119 words Dave Cridland
- Re: [rtcweb] Uppercase question for RFC2119 words Drage, Keith (Nokia - GB)
- Re: [rtcweb] Fuzzy words [was Uppercase question … Drage, Keith (Nokia - GB)
- Re: [rtcweb] Uppercase question for RFC2119 words Mark Andrews
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Alissa Cooper
- Re: [rtcweb] Fuzzy words [was Uppercase question … Abdussalam Baryun
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Philipp Hancke
- Re: [rtcweb] I-D Action: draft-ietf-rtcweb-ip-han… Randell Jesup