Re: [webrtc-extensions] Invalid TURN credentials: What function should fail? (#52) from henbos via GitHub on 2021-02-24 (public-webrtc-logs@w3.org from February 2021)

From: henbos via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 Feb 2021 08:31:27 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-784902867-1614155485-sysbot+gh@w3.org>

@annevk Would it be OK to land clarifying text to close this issue, and then add a follow-up issue about what to do to mitigate exploiting error codes? As-is, I don't think the proposed PR is changing any behavior, it's just clarifying what is implied we should already do.

How to mitigate brute-force attacks sounds like a bigger issue than exposing errorCodes. For example, even if we emit an error code that looks the same as "host not found", it would be a bit suspicious if onicecandidateerror fired faster or slower depending on if the host was actually not found.

-- 
GitHub Notification of comment by henbos
Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/issues/52#issuecomment-784902867 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 24 February 2021 08:31:30 UTC