RE: ICE exposes 'real' local IP to javascript from Göran Eriksson AP on 2015-02-02 (public-webrtc@w3.org from February 2015)

From: Göran Eriksson AP <goran.ap.eriksson@ericsson.com>
Date: Mon, 2 Feb 2015 21:13:20 +0000
To: Tim Panton <thp@westhawk.co.uk>, public-webrtc <public-webrtc@w3.org>
CC: "rtcweb@ietf.org >> rtcweb@ietf.org" <rtcweb@ietf.org>
Message-ID: <532A6DC6F9C115439C41705FF73D13871D1B5F96@ESESSMB209.ericsson.se>

From: Tim Panton [mailto:thp@westhawk.co.uk]
Sent: den 2 februari 2015 15:17
To: public-webrtc
Cc: rtcweb@ietf.org >> rtcweb@ietf.org
Subject: ICE exposes 'real' local IP to javascript

Firstly- sorry for cross posting - I’m not sure which side of the line this falls.
Secondly - if this is covered, please let me know, I don’t recall it cropping up...

I’ve been reading worried blogs that WEBRTC in browsers ‘leaks’ the local ‘real’ ip addresses to the javascript.
The principle worriers are VPN users e.g https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096

The concern is that this can be done without user notification (DataChannel request) and might be used to
identify or finger-print users. Clearly the most vulnerable are Tor users who are on a real routeable IP address
or directly on a carrier grade nat (eg android phones etc) where the IP may reveal the identity or location of the user.

It seems to me that this concern will be increased in the case of ipv6 deployments (MNOs).

Do we need to specify a config option on the browser ‘I’m using a VPN don’t expose my local IP’

Again, sorry if I missed this being hashed to death already.
[GAPE:] There are different “challenges” as I see it; a) one to ‘hide’ the information from the involved web sites and peers and b) another from a web site owner perspective, how to safeguard users privacy and security. ‘a’ has been discussed and partly addressed, e.g.  in [1] and [2] .
For ‘b’, we have Web platform mechanisms CSP [3,4] (and CORS) that the web site admin can use to get help from the UA to do defense-in-depth. Now, I may have missed it but has there been any in-depth discussion about CSP (existing or new directives for the O/A procedure, etc. for as Web site using the WebRTC API nor is there anything mentioned in the latest W3C  working draft. Perhaps I’ve missed it- what is the status? Postponed to future work?

Göran

[1] https://datatracker.ietf.org/doc/draft-ietf-rtcweb-security-arch/

[2] http://tools.ietf.org/html/draft-schwartz-rtcweb-return-04#section-5.3

[3] CSP Level 1.1, http://www.w3.org/TR/CSP/

[4]CSP Level 1.2 (Draft), http://www.w3.org/TR/CSP2/

T

Tim Panton - Web/VoIP consultant and implementor
www.westhawk.co.uk<http://www.westhawk.co.uk>

Received on Monday, 2 February 2015 21:13:48 UTC