Request for Reconsideration and New Security Review of WebRTC

I'm hoping this is the right place to ask for some sort of new security
review of WebRTC.  If not please redirect / shunt or whatever.

The WebRTC description / code is at

The problem under consideration is as follows:

Recently I came upon a vendor who shall remain unnamed who uses WebRTC as
the backbone for their video conferencing service.  As a result, I found I
was unable to access the service in question without disabling some
security settings which I would have preferred to leave intact.

My system is (based on what the aforementioned service detects) Mozilla/5.0
(X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0.  This is
Ubuntu 16.10 64-bit with Firefox 53.0.2.

However, quite some *long* while back I disabled WebRTC because of the
security vulnerability (described in part here on information security
stack exchange
So as to mitigate this vulnerability, I changed settings in Firefox as

   1. I typed *about:config* in the address bar
   2. I found the setting *media.peerconnection.enabled*
   3. I set it to *false*

Unfortunately, this setting does not allow Firefox to work with the video
conferencing service in question, which relies entirely on WebRTC.

So I had to go back in and change the media.peerconnection.enabled setting
to *true* in Firefox in order to get it to work with the service in
question. While this enabled me to conference with teams that desire to use
the video conferencing service that rely wholly upon WebRTC, it concerns me
because of the security vulnerability.

Furthermore, upon reload of the browser, even after setting
media.peerconnection.enabled to *true*, the video conferencing service
wouldn't work until I installed the WebRTC 0.1.3 extension for Firefox and
set it to expose my real IP address as well as allowing the following:

a. navigator.getUserMedia
b. window.MediaStreamTrack
c. window.RTCPeerConnection
d. window.RTCSessionDescription

That seemed to me to be a direct consequence of the persistent and ongoing
security vulnerability in WebRTC.

I contacted the video conferencing service provider and their solution was
simply to state that "If the peer to peer connection is of concern, you can
utilize our premium version which will route traffic through a forwarding
server with in our environment that handles the processing of the video and
sound of all users in the conference and send it to each user individually
rather than using a peer to peer connection."  In other words, they expect
that people should have to pay in order to mitigate this WebRTC security
because they are unwilling to design to protect all users from it.

Although undoubtedly this has been discussed here before, I am asking that
it be reconsidered and that a new security review be done to ameliorate or
eliminate this problem in terms of WebRTC leaking this information.


Colin Gallagher

Received on Monday, 22 May 2017 19:35:21 UTC