W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2017

Re: PING feedback on WebRTC 1.0

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Tue, 7 Feb 2017 11:28:38 +0100
To: public-privacy@w3.org
Cc: "vivien@w3.org" <vivien@w3.org>, Stefan Hakansson LK <stefan.lk.hakansson@ericsson.com>, Harald Alvestrand <hta@google.com>
Message-ID: <ea5f770d-3298-f9f8-d30b-ea41a8132966@w3.org>
Hi,

On 27/01/2017 17:12, Dominique Hazael-Massieux wrote:
>> Questions summarized from the PING discussion:
>>
>> 1. In reading privacy/security considerations of the spec, the group 
>> recognized the various issues, but it was not always clear how
>> issues were solved or mitigated. Can you provide more documentation
>> on countermeasures and why certain decisions were made? Examples:
>> the concrete reasons to accept changes to the same-origin policy.
>> (e.g., not only because websocket does it.)
>>
>> 2. Related items that were of concern, for which a response would be 
>> helpful: leaking of local IP addresses; change to the same-origin
>> policy because of p2p communication; client-side or device id
>> leakage; ad networks using WebRTC for accessing IP address.
>
> I plan on getting back to you on issue 687 (i.e. your comments 1 and 2
> above) soon, but it would be great if we could already get closure on
> the 3 issues described above.

Here is some more detailed explanation about your points 1 & 2 above. I
would appreciate if you could also indicate whether this addresses your
initial comment - preferably, before the end of this month.

----
# Leaking of local IP addresses

As described in the spec and the in the [supporting IETF
spec](https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling/),
browsers can operate in 4 modes with regard to their policy of
disclosing "local" IP addresses. The 4 modes represent different
possible trade-offs users may want to make between limiting exposure of
these IP addresses and performance of audio/video communications.
So what drove the design was the recognition that different users will
want to make different trade-offs for different Web sites, and the
proposed default mode of operation (mode 2 in the IETF document) offers
a balance where no sensitive information gets leaked prior to consent on
camera/mike usage, while still allowing quicker network path when
consent has been granted.
The proposed mitigation is to let users select a stricter (or looser)
mode via their user agent.

# Change to the same-origin policy because of p2p communication
WebRTC does not change the same-origin policy: an origin cannot obtain
data from another origin using the datachannel API without its cooperation.
WebRTC does offer a more direct transmission path from one browser to
another peer (a browser or not) where the server attached to a given
origin only needs to be used once for establishing the connection rather
than serving as a relay (which is what WebSockets or even XHR enables).
But the existence of that transmission path does not alter the
restrictions of data across origins.
As a result, it's not clear that this feature needs any specific mitigation.

# Client-side or device id leakage
Beyond IP addresses (addressed above), the usage of the WebRTC API
exposes more detailed and client-bound information about underlying
software and hardware.
The expected mitigation for this risk is the one used for other similar
features: browsers can support a mode where they disclose a uniform set
of information instead of the one that would enable the more customized
experience.

# Ad networks using WebRTC for accessing IP address
We believe that implementation of the mode 2 described above as the
default mode of operation will severely limit that practice since only a
limited number of IP addresses will be disclosed by default.
----

Thanks,

Dom

> 1. http://w3c.github.io/webrtc-pc/
> 2. https://w3c.github.io/mediacapture-main/
> 
Received on Tuesday, 7 February 2017 10:28:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 7 February 2017 10:28:53 UTC