W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > January 2017

Re: [webrtc-pc] Clarify reasoning behind and mitigation of privacy issues (PING review)

From: Dominique Hazael-Massieux via GitHub <sysbot+gh@w3.org>
Date: Mon, 30 Jan 2017 10:02:13 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-276022166-1485770532-sysbot+gh@w3.org>
So, here is my attempt at documenting design decisions and possible 
counter-measures for the 4 items mentioned above - @alvestrand does 
that sound about right?

# Leaking of local IP addresses

As described in the spec and the in the [supporting IETF 
spec](https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling/),
 browsers can operate in 4 modes with regard to their policy of 
disclosing "local" IP addresses. The 4 modes represent different 
possible trade-offs users may want to make between limiting exposure 
of these IP addresses and performance of audio/video communications.
So what drove the design was the recognition that different users will
 want to make different trade-offs for different Web sites, and the 
proposed default mode of operation (mode 2 in the IETF document) 
offers a balance where no sensitive information gets leaked prior to 
consent on camera/mike usage, while still allowing quicker network 
path when consent has been granted.
The proposed mitigation is to let users select a stricter (or looser) 
mode via their user agent.

# Change to the same-origin policy because of p2p communication
WebRTC does not change the same-origin policy: an origin cannot obtain
 data from another origin using the datachannel API.
WebRTC does offer a more direct transmission path from one browser to 
another peer (a browser or not) where the server attached to a given 
origin only needs to be used once for establishing the connection 
rather than serving as a relay (which is what WebSockets or even XHR 
enables). But the existence of that transmission path does not alter 
the restrictions of data across origins.
As a result, it's not clear that this feature needs any specific 
mitigation.

# Client-side or device id leakage
Beyond IP addresses (addressed above), the usage of the WebRTC API 
exposes more detailed and client-bound information about underlying 
software and hardware.
The expected mitigation for this risk is the one used for other 
similar features: browsers can support a mode where they disclose a 
uniform set of information instead of the one that would enable the 
more customized experience.

# Ad networks using WebRTC for accessing IP address
We believe that implementation of the mode 2 described above as the 
default mode of operation will severely limit that practice since only
 a limited number of IP addresses will be disclosed by default.

-- 
GitHub Notification of comment by dontcallmedom
Please view or discuss this issue at 
https://github.com/w3c/webrtc-pc/issues/687#issuecomment-276022166 
using your GitHub account
Received on Monday, 30 January 2017 10:02:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 4 June 2019 15:32:41 UTC