- From: Colin Gallagher <colingallagher.rpcv@gmail.com>
- Date: Mon, 22 May 2017 12:33:36 -0700
- To: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CABghAMipUfFGMb7WPsC0FscjBcj9n0gb5ps-s4T=-JYQuTtUJw@mail.gmail.com>
I'm hoping this is the right place to ask for some sort of new security review of WebRTC. If not please redirect / shunt or whatever. The WebRTC description / code is at https://webrtc.org/ The problem under consideration is as follows: Recently I came upon a vendor who shall remain unnamed who uses WebRTC as the backbone for their video conferencing service. As a result, I found I was unable to access the service in question without disabling some security settings which I would have preferred to leave intact. My system is (based on what the aforementioned service detects) Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0. This is Ubuntu 16.10 64-bit with Firefox 53.0.2. However, quite some *long* while back I disabled WebRTC because of the security vulnerability (described in part here on information security stack exchange <https://security.stackexchange.com/questions/82129/what-is-webrtc-and-how-can-i-protect-myself-against-leaking-information-that-doe>). So as to mitigate this vulnerability, I changed settings in Firefox as follows: 1. I typed *about:config* in the address bar 2. I found the setting *media.peerconnection.enabled* 3. I set it to *false* Unfortunately, this setting does not allow Firefox to work with the video conferencing service in question, which relies entirely on WebRTC. So I had to go back in and change the media.peerconnection.enabled setting to *true* in Firefox in order to get it to work with the service in question. While this enabled me to conference with teams that desire to use the video conferencing service that rely wholly upon WebRTC, it concerns me because of the security vulnerability. Furthermore, upon reload of the browser, even after setting media.peerconnection.enabled to *true*, the video conferencing service wouldn't work until I installed the WebRTC 0.1.3 extension for Firefox and set it to expose my real IP address as well as allowing the following: a. navigator.getUserMedia b. window.MediaStreamTrack c. window.RTCPeerConnection d. window.RTCSessionDescription That seemed to me to be a direct consequence of the persistent and ongoing security vulnerability in WebRTC. I contacted the video conferencing service provider and their solution was simply to state that "If the peer to peer connection is of concern, you can utilize our premium version which will route traffic through a forwarding server with in our environment that handles the processing of the video and sound of all users in the conference and send it to each user individually rather than using a peer to peer connection." In other words, they expect that people should have to pay in order to mitigate this WebRTC security vulnerability <https://security.stackexchange.com/questions/82129/what-is-webrtc-and-how-can-i-protect-myself-against-leaking-information-that-doe>, because they are unwilling to design to protect all users from it. Although undoubtedly this has been discussed here before, I am asking that it be reconsidered and that a new security review be done to ameliorate or eliminate this problem in terms of WebRTC leaking this information. Respectfully, Colin Gallagher
Received on Monday, 22 May 2017 19:35:21 UTC