- From: Keiji Takeda <tkeiji@w3.org>
- Date: Thu, 18 Feb 2016 10:52:06 -0500
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Since we do not have much time let me share my note on "Privacy and Security Considerations Section" of the spec as a starting point. Any kinds of feedback are welcome. ---- Quick review(privacy/security) note on "WebRTC 1.0: Real-time Communication Between Browsers Section 13. Privacy and Security Considerations[1] " https://www.w3.org/TR/webrtc/#privacy-and-security-considerations For past discussion on related issues see [3][4]. ---- 13.1 Impact on same origin policy "The WebRTC specification provides no user prompts or chrome indicators for communication; it assumes that once the Web page has been allowed to access media, it is free to share that media with other entities as it chooses. Peer-to-peer exchanges of data view WebRTC datachannels can thus occur without any user explicit consent or involvement, similarly as a server-mediated exchange (e.g. via Web Sockets) could occur without user involvement." The reasons not providing user prompts or chrome indicators are not clear though there are expectations of such requirements (consent with user prompt or chrome indicators) in terms of privacy and security. Especially in privacy context we can not assume that "once the Web page has been allowed to access media, it is free to share that media with other entities as it chooses” since the page is possible to have intention to abuse user’s privacy for their own purposes. "it assumes that once the Web page has been allowed to access media, it is free to share that media with other entities as it chooses.” This assumption may be better to be validated with some reference or with some rational explanation. "Peer-to-peer exchanges of data view WebRTC datachannels can thus occur without any user explicit consent or involvement, similarly as a server-mediated exchange (e.g. via Web Sockets) could occur without user involvement." The explanations above as reasons to accept this statement are felt little weak since this provides significant impact to overall web security architecture. ---- 13.2 Revealing IP addresses "Browsers are encouraged to provide appropriate controls for deciding which IP addresses are made available to applications, based on the security posture desired by the user. The choice of which addresses to expose is controlled by local policy (see [RTCWEB-IP-HANDLING] for details)." This is opt-out for protection of user’s IP address. Real risks reside in users who do not aware use of WebRTC function on browsers. It is well known that such WebRTC function already has been used to track user’s behavior so there should be some countermeasure for this types of usage. webrtcH4cKS: ~ Dear NY Times, if you’re going to hack people, at least do it cleanly! https://webrtchacks.com/dear-ny-times/ How the New York Times uses WebRTC to gather local/vpn ip addresses https://www.reddit.com/r/netsec/comments/3dgwee/how_the_new_york_times_uses_webrtc_to_gather/ ---- 13.3 Impact on local network Mitigations methods here involve "request permission from the correspondent UA” this seems in different level of privacy/security compared to other spec in webRTC. It is expected to other functionality to have this level of consideration to privacy and security. ---- 13.4 Confidentiality of Communications How confidentiality of contents of communications can be protected in the specification is not clear. ---- 13.5 Persistent information exposed by WebRTC "Beyond IP addresses, the WebRTC API exposes information about the underlying media system via the RTCRtpSender.getCapabilities and RTCRtpReceiver.getCapabilities methods, including detailed and ordered information about the codecs that the system is able to produce and consume. A subset of that information is likely to be represented in the SDP session descriptions generated, exposed and transmitted during session negotiation. That information is in most cases persistent across time and origins, and increases the fingerprint surface of a given device." Solution about the issues should be explained or suggested. Also the reason of this design decision is better to be explained. "Media Capture and Streams[2]” has more attack surface for finger printing (e.g. deviceId in MediaDeviceInfo). Do we expect separate chance to review the spec "Media Capture and Streams”? ---- [1] WebRTC 1.0: Real-time Communication Between Browsers https://www.w3.org/TR/webrtc/ http://w3c.github.io/webrtc-pc/ [2] Media Capture and Streams https://www.w3.org/TR/mediacapture-streams/ http://w3c.github.io/mediacapture-main/ [3] WebRTC Security Architecture https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch/ [4] Security Considerations for WebRTC https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security/ On 2/18/16 10:35 AM, Christine Runnegar wrote: > Hi all. > > Thanks so much for moving this forward. > > Just one note, we don’t have a lot of time after the call to get back to the WG. So, as much as we can do before the call the better. > > Christine > > >> On 18 Feb 2016, at 4:28 PM, Greg Norcie <gnorcie@cdt.org> wrote: >> >> It might be useful to discuss at the high level on the call, and then we can divy up more detailed feedback (either on the call or offline). >> >> >> /********************************************/ >> Greg Norcie (norcie@cdt.org) >> Staff Technologist >> Center for Democracy & Technology >> District of Columbia office >> (p) 202-637-9800 >> PGP: http://norcie.com/pgp.txt >> >> CDT's Annual Dinner (Tech Prom) is >> April 6, 2016. Don't miss out! >> learn more at https://cdt.org/annual-dinner >> /*******************************************/ >> >> On Thu, Feb 18, 2016 at 9:51 AM, Joseph Lorenzo Hall <joe@cdt.org> wrote: >> I agree and we just got started on our review, so not sure discussing >> WebRTC is ripe for next week (I'll be out of town so can't join the >> call, dang it). best, Joe >> >> On Thu, Feb 18, 2016 at 8:17 AM, Keiji Takeda <tkeiji@w3.org> wrote: >>> This message is being sent only to PING mailing list. >>> >>> Since the spec to review is relatively large and complex and having >>> significant impact to user privacy so I think it is better to spend enough >>> time to exchange thoughts before the actual meeting since the time is >>> limited. >>> >>> Should we share our review results or questions on this mailing list? >>> Or is there any good way for such internal discussion? (GitHub?) >>> >>> Keiji >>> >>> >>> On 2/17/16 4:43 PM, Joseph Lorenzo Hall wrote: >>>> >>>> We do provide review comments and will consolidate them and bring them >>>> back to you. I have to warn you that some of the stuff we may raise >>>> will have been argued to death already at IETF and W3C, so it may be a >>>> case of a bunch of responses on your end of the variety: "Yes, we >>>> considered that before and the consensus of the group was x." ::) >>>> >>>> On Wed, Feb 17, 2016 at 2:10 PM, Stefan Håkansson LK >>>> <stefan.lk.hakansson@ericsson.com> wrote: >>>>> >>>>> Thanks Greg and Keiji for your reviews. Is it correct to interpret >>>>> Christine's message as that PING will discuss further and come back with >>>>> review comments representing the whole group? >>>>> >>>>> Br, >>>>> Stefan >>>>> >>>>> >>>>> >>>>> On 17/02/16 18:09, Greg Norcie wrote: >>>>>> >>>>>> I don't think you're misunderstanding, these all seem like valid points >>>>>> :) >>>>>> >>>>>> Looking forward to discussing! >>>>>> >>>>>> >>>>>> /********************************************/* >>>>>> *Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>) >>>>>> Staff Technologist >>>>>> Center for Democracy & Technology >>>>>> District of Columbia office >>>>>> (p) 202-637-9800 >>>>>> PGP: http://norcie.com/pgp.txt >>>>>> >>>>>> *CDT's Annual Dinner (Tech Prom) is >>>>>> April 6, 2016. Don't miss out! >>>>>> learn more at https://cdt.org/annual-dinner* >>>>>> /*******************************************/* >>>>>> * >>>>>> >>>>>> On Wed, Feb 17, 2016 at 10:54 AM, Keiji Takeda <tkeiji@w3.org >>>>>> <mailto:tkeiji@w3.org>> wrote: >>>>>> >>>>>> Greg, >>>>>> >>>>>> Thank you for sharing your thought. >>>>>> >>>>>> I also have been reviewing the spec and have some points need to be >>>>>> discussed. >>>>>> >>>>>> I feel like WebRTC is defining functions beyond current web >>>>>> security >>>>>> and privacy practices/principles so we need to examine their >>>>>> appropriateness carefully. >>>>>> >>>>>> For example ... >>>>>> >>>>>> - It makes holes in same origin policy. >>>>>> - It reveals client's IP addresses behind VPN or Tor. >>>>>> - It provides more fingerprinting surface to track users. >>>>>> - Most functions are all or nothing(as Greg pointed out) and it is >>>>>> difficult to be conscious unless users intentionally use WebRTC. >>>>>> (Attack can be effective against user who do not use WebRTC.) >>>>>> >>>>>> I may be missing some point but please let me know if I am >>>>>> misunderstanding. >>>>>> >>>>>> Keiji Takeda >>>>>> >>>>>> >>>>>> On 2/16/16 3:35 PM, Greg Norcie wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> I read through the WebRTC 1.0 spec, and I had a few things that >>>>>> jumped out, >>>>>> would love to hear if the rest of the group agrees/disagrees. >>>>>> >>>>>> First, I noticed that the getStats[1] API seems to get a ton of >>>>>> granular >>>>>> data, some of which could be used to fingerprint users. Do we >>>>>> feel that >>>>>> this level of granularity is in keeping with previous guidance >>>>>> on >>>>>> Fingerprinting? [2] >>>>>> >>>>>> Along similar lines, I noticed that consent for WebRTC seems to >>>>>> be quite >>>>>> all or nothing - once granted it seems to be difficult to >>>>>> revoke. >>>>>> Considering WebRTC can expose a user's local IP, maybe we >>>>>> should >>>>>> recommend >>>>>> that this consent be easily revocable and visible when in >>>>>> place? >>>>>> >>>>>> >>>>>> This has come up in two different reviews now[3], so we may >>>>>> want >>>>>> to give >>>>>> some guidance in the privacy questionnaire. (I will be looking >>>>>> at our >>>>>> current language and drafting some changes later this week) >>>>>> >>>>>> [1] https://www.w3.org/TR/webrtc-stats/ >>>>>> [2] https://w3c.github.io/fingerprinting-guidance/ >>>>>> [3] The previous being the Permissions UI: >>>>>> https://www.w3.org/TR/permissions/ >>>>>> >>>>>> >>>>>> /********************************************/ >>>>>> Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>) >>>>>> Staff Technologist >>>>>> Center for Democracy & Technology >>>>>> District of Columbia office >>>>>> (p) 202-637-9800 <tel:202-637-9800> >>>>>> PGP: http://norcie.com/pgp.txt >>>>>> >>>>>> >>>>>> >>>>>> *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss >>>>>> out!learn >>>>>> more at https://cdt.org/annual-dinner >>>>>> <https://cdt.org/annual-dinner>* >>>>>> >>>>>> /*******************************************/ >>>>>> >>>>>> On Mon, Feb 1, 2016 at 5:08 AM, Stefan Håkansson LK < >>>>>> stefan.lk.hakansson@ericsson.com >>>>>> <mailto:stefan.lk.hakansson@ericsson.com>> wrote: >>>>>> >>>>>> Dear Privacy Interest Group, >>>>>> >>>>>> The WebRTC Working Group is working toward publishing the >>>>>> WebRTC 1.0 >>>>>> specification to Candidate Recommendation and is thus >>>>>> seeking wide >>>>>> review on the document: >>>>>> >>>>>> https://www.w3.org/TR/2016/WD-webrtc-20160128/ >>>>>> >>>>>> We are particularly interested on feedback on the following >>>>>> aspects from >>>>>> PING: >>>>>> - the privacy considerations, >>>>>> - more specifically, the risks associated with exposing IP >>>>>> addresses as >>>>>> part of the establishment of the P2P connection, >>>>>> - the privacy properties of the identity verification >>>>>> mechanism, >>>>>> - the guarantees provided by isolated mediastreams. >>>>>> >>>>>> We of course also welcome feedback on any other aspect of >>>>>> the >>>>>> specification.. >>>>>> >>>>>> We would appreciate if that feedback could be provided >>>>>> before the week >>>>>> of February 22 where our next meeting in scheduled, and no >>>>>> later than >>>>>> March 1st. >>>>>> >>>>>> If you have any comments, we prefer you submit them as >>>>>> Github issues: >>>>>> https://github.com/w3c/webrtc-pc/issues >>>>>> Alternatively, you can send your comments by email to >>>>>> public-webrtc@w3.org <mailto:public-webrtc@w3.org> >>>>>> . >>>>>> >>>>>> Thanks, >>>>>> >>>>>> For the WebRTC co-chairs, >>>>>> Stefan Håkansson >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> >> >> >> -- >> Joseph Lorenzo Hall >> Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] >> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key >> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 >> >> CDT's annual dinner, Tech Prom, is April 6, 2016! https://cdt.org/annual-dinner >> >> >
Received on Thursday, 18 February 2016 15:52:12 UTC