W3C home > Mailing lists > Public > public-webrtc@w3.org > October 2011

Re: [rtcweb] draft-jesup-rtcweb-data-00 posted

From: Randell Jesup <randell-ietf@jesup.org>
Date: Thu, 27 Oct 2011 15:06:41 -0400
Message-ID: <4EA9ABC1.1000201@jesup.org>
To: rtcweb@ietf.org
CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 10/25/2011 11:31 AM, Hadriel Kaplan wrote:
> On Oct 25, 2011, at 10:20 AM, Eric Rescorla wrote:
>
>> On Tue, Oct 25, 2011 at 1:02 AM, Hadriel Kaplan<HKaplan@acmepacket.com>  wrote:
>>> Req. 8: The data stream transport protocol MUST NOT encode IP addresses inside its protocol fields; doing so reveals potentially private information, and leads to failure if the address is depended upon.
>> I don't really understand what this means. In general, the peer has
>> access to your IP address
>> information from ICE.
>  From a privacy perspective: if a person uses a Web-site designed with privacy/anonymity in mind (e.g., battered-spouse forum), then the site would relay your media-plane stuff through a type of TURN server that does ICE itself both ways.  But if the SCTP layer on top of UDP encodes your local IP using one of the optional SCTP fields in RFC 4960 or 5061, then you lose that anonymity.  Since the SCTP layer is built into the Browser and not under control of the Javascript, a site can't prevent it from revealing that info.


There's a corollary: a user should be able to set their browser and/or 
App to force all incoming calls (and maybe outgoing) through a TURN 
server.  (There may be other uses for this ability, like corporate 
firewall traversal, but the case you mention is one of them).  Witness 
the recent attack on identity info on Skype using call-setup protocols, 
without even decoding them:

http://www.theregister.co.uk/2011/10/21/skype_bittorrent_stalking/print.html
and
http://cis.poly.edu/~ross/papers/skypeIMC2011.pdf

In theory it could be more nuanced - direct connections for people in 
your phonebook, or listed as friends, etc.  But that may be too 
confusing for generic users, and too likely to mess up.

This is more likely a W3C issue, so CC-ing that list

-- 
Randell Jesup
randell-ietf@jesup.org
Received on Thursday, 27 October 2011 19:07:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:25 UTC