Security mitigations for IP leakage from Dominique Hazael-Massieux on 2015-04-22 (public-webrtc@w3.org from April 2015)

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Wed, 22 Apr 2015 11:06:30 +0200
To: public-webrtc@w3.org
Message-ID: <55376496.3060807@w3.org>

Hi,

As previously discussed, the ability that WebRTC gives to any random web 
site to discover IP addresses that would not be otherwise detectable is 
an issue that we will need to address:
https://github.com/w3c/webrtc-pc/issues/179

Justin recently brought a proposal to the RTCWeb list on how to manage 
this mostly from a protocol perspective:
http://www.ietf.org/mail-archive/web/rtcweb/current/msg14494.html

In complement to the protocol approach, I thought it would be worthwhile 
to document what mitigation mechanisms exist on the Web platform to 
limit when potentially sensitive features can be used by Web pages.

I list below the ones I've been able to identify (but there may be 
more); I think it would be useful to study at some point which of these 
could be used to limit the impact of the IP address leakage — but that 
probably requires a good understanding of the various threats that 
revealing private IP address entails (on which I have enlisted the help 
of the Privacy Interest Group, with only limited results so far [1]).

The mitigations off the top of my head (please help complete it):
* the same-origin policy (limits what can be done on and by resources 
from different origins)

* user prompt (ask the user before granting permission)

* user forgiveness (allow by default, but let user undo the permission 
grant)

* user opt-in (denied by default, but allow the user to explicitly allow)

* user engagement (only grant access to a feature if the user has 
interacted with the page)

* restricted to top-level browsing context (a feature can only be used 
from the top frame, with sometimes the ability to explicitly grant it to 
embedded content)

* content security policy (limit set by HTTP header on what the content 
can do)

* UI indicators (give hints to the user that something is going on)

* secure-origin only (feature only available from https)

* frecency heuristics (feature only available if the user has come to a 
given Web page recently and frequently)

* bundled permission (permission granted if a more sensitive and related 
permission has been granted)

* whitelist / blacklist and other out-of-band mechanisms (e.g. search 
engine warnings)

Dom

1. https://www.w3.org/wiki/Privacy/IPAddresses

Received on Wednesday, 22 April 2015 09:06:52 UTC