Re: [webrtc-pc] Clarify reasoning behind and mitigation of privacy issues (PING review)

So, here is my attempt at documenting design decisions and possible 
counter-measures for the 4 items mentioned above - @alvestrand does 
that sound about right?

# Leaking of local IP addresses

As described in the spec and the in the [supporting IETF 
 browsers can operate in 4 modes with regard to their policy of 
disclosing "local" IP addresses. The 4 modes represent different 
possible trade-offs users may want to make between limiting exposure 
of these IP addresses and performance of audio/video communications.
So what drove the design was the recognition that different users will
 want to make different trade-offs for different Web sites, and the 
proposed default mode of operation (mode 2 in the IETF document) 
offers a balance where no sensitive information gets leaked prior to 
consent on camera/mike usage, while still allowing quicker network 
path when consent has been granted.
The proposed mitigation is to let users select a stricter (or looser) 
mode via their user agent.

# Change to the same-origin policy because of p2p communication
WebRTC does not change the same-origin policy: an origin cannot obtain
 data from another origin using the datachannel API.
WebRTC does offer a more direct transmission path from one browser to 
another peer (a browser or not) where the server attached to a given 
origin only needs to be used once for establishing the connection 
rather than serving as a relay (which is what WebSockets or even XHR 
enables). But the existence of that transmission path does not alter 
the restrictions of data across origins.
As a result, it's not clear that this feature needs any specific 

# Client-side or device id leakage
Beyond IP addresses (addressed above), the usage of the WebRTC API 
exposes more detailed and client-bound information about underlying 
software and hardware.
The expected mitigation for this risk is the one used for other 
similar features: browsers can support a mode where they disclose a 
uniform set of information instead of the one that would enable the 
more customized experience.

# Ad networks using WebRTC for accessing IP address
We believe that implementation of the mode 2 described above as the 
default mode of operation will severely limit that practice since only
 a limited number of IP addresses will be disclosed by default.

GitHub Notification of comment by dontcallmedom
Please view or discuss this issue at 
using your GitHub account

Received on Monday, 30 January 2017 10:02:49 UTC