W3C home > Mailing lists > Public > public-webrtc@w3.org > February 2015

Re: ICE exposes 'real' local IP to javascript

From: Tim Panton new <thp@westhawk.co.uk>
Date: Mon, 2 Feb 2015 22:16:22 +0000
Cc: public-webrtc <public-webrtc@w3.org>, "rtcweb@ietf.org >> rtcweb@ietf.org" <rtcweb@ietf.org>
Message-Id: <E63CB46D-FE22-4B7A-8CF0-7079A7C6632A@westhawk.co.uk>
To: Göran Eriksson AP <goran.ap.eriksson@ericsson.com>

> On 2 Feb 2015, at 21:13, Göran Eriksson AP <goran.ap.eriksson@ericsson.com> wrote:
> From: Tim Panton [mailto:thp@westhawk.co.uk <mailto:thp@westhawk.co.uk>] 
> Sent: den 2 februari 2015 15:17
> To: public-webrtc
> Cc: rtcweb@ietf.org <mailto:rtcweb@ietf.org> >> rtcweb@ietf.org <mailto:rtcweb@ietf.org>
> Subject: ICE exposes 'real' local IP to javascript
> Firstly- sorry for cross posting - I’m not sure which side of the line this falls.
> Secondly - if this is covered, please let me know, I don’t recall it cropping up...
> I’ve been reading worried blogs that WEBRTC in browsers ‘leaks’ the local ‘real’ ip addresses to the javascript.
> The principle worriers are VPN users e.g https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096 <https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096>
> The concern is that this can be done without user notification (DataChannel request) and might be used to 
> identify or finger-print users. Clearly the most vulnerable are Tor users who are on a real routeable IP address
> or directly on a carrier grade nat (eg android phones etc) where the IP may reveal the identity or location of the user.
> It seems to me that this concern will be increased in the case of ipv6 deployments (MNOs).
> Do we need to specify a config option on the browser ‘I’m using a VPN don’t expose my local IP’ 
> Again, sorry if I missed this being hashed to death already.
> [GAPE:] There are different “challenges” as I see it; a) one to ‘hide’ the information from the involved web sites and peers and b) another from a web site owner perspective, how to safeguard users privacy and security. ‘a’ has been discussed and partly addressed, e.g.  in [1] and [2] .

I think these VPN users have hit the ‘partly’ aspect. 5.4 in [1] says: 
"Note that these requirements are NOT intended to protect the user’s
 IP address from a malicious site. In general, the site will learn at
least a user's server reflexive address from any HTTP transaction.” 
The VPN folks are worried that their privacy may be compromised by webRTC exposing their local IP without their permission.
An advert might call a dataChannel createOffer() for the purposes of gaining the local IPV6 address and using it to fingerprint the user in
ways that the reflexive address couldn’t. - So they don’t want to trust ‘evil_banners.com’ with their local addresses and before webRTC they
didn’t have to. I’m not clear that this is a big enough issue to warrant a spec change, but it is an issue they seem to care about.


Received on Monday, 2 February 2015 22:17:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:04 UTC