- From: Dominique Hazael-Massieux via GitHub <sysbot+gh@w3.org>
- Date: Mon, 30 Jan 2017 10:02:13 +0000
- To: public-webrtc-logs@w3.org
So, here is my attempt at documenting design decisions and possible counter-measures for the 4 items mentioned above - @alvestrand does that sound about right? # Leaking of local IP addresses As described in the spec and the in the [supporting IETF spec](https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling/), browsers can operate in 4 modes with regard to their policy of disclosing "local" IP addresses. The 4 modes represent different possible trade-offs users may want to make between limiting exposure of these IP addresses and performance of audio/video communications. So what drove the design was the recognition that different users will want to make different trade-offs for different Web sites, and the proposed default mode of operation (mode 2 in the IETF document) offers a balance where no sensitive information gets leaked prior to consent on camera/mike usage, while still allowing quicker network path when consent has been granted. The proposed mitigation is to let users select a stricter (or looser) mode via their user agent. # Change to the same-origin policy because of p2p communication WebRTC does not change the same-origin policy: an origin cannot obtain data from another origin using the datachannel API. WebRTC does offer a more direct transmission path from one browser to another peer (a browser or not) where the server attached to a given origin only needs to be used once for establishing the connection rather than serving as a relay (which is what WebSockets or even XHR enables). But the existence of that transmission path does not alter the restrictions of data across origins. As a result, it's not clear that this feature needs any specific mitigation. # Client-side or device id leakage Beyond IP addresses (addressed above), the usage of the WebRTC API exposes more detailed and client-bound information about underlying software and hardware. The expected mitigation for this risk is the one used for other similar features: browsers can support a mode where they disclose a uniform set of information instead of the one that would enable the more customized experience. # Ad networks using WebRTC for accessing IP address We believe that implementation of the mode 2 described above as the default mode of operation will severely limit that practice since only a limited number of IP addresses will be disclosed by default. -- GitHub Notification of comment by dontcallmedom Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/687#issuecomment-276022166 using your GitHub account
Received on Monday, 30 January 2017 10:02:49 UTC