W3C home > Mailing lists > Public > public-webrtc@w3.org > February 2015

Re: [rtcweb] ICE exposes 'real' local IP to javascript

From: <richard.vandet@kpn.com>
Date: Mon, 2 Feb 2015 19:58:09 +0000
To: <bemasc@google.com>
CC: <thp@westhawk.co.uk>, <rtcweb@ietf.org>, <public-webrtc@w3.org>
Message-ID: <715F96D7-0BCA-4C91-BDEC-9DF28FD9A484@kpn.com>
Isn't that done by whitelisting. You as a user use a application wich uses webrtc.

M.vr.gr<http://M.vr.gr>.,

Richard van Det
06 2054 7291

Op 2 feb. 2015 om 18:05 heeft Benjamin Schwartz <bemasc@google.com<mailto:bemasc@google.com>> het volgende geschreven:

Standards-wise: You might want to have a look at http://tools.ietf.org/html/draft-schwartz-rtcweb-return-04#section-5.3 (a draft which I'm hoping will be adopted by the rtcweb group).

Reality-wise:
Tor is not a VPN.  It acts as a SOCKS5 proxy.  Tor doesn't support UDP, and none of the major browsers support SOCKS5-UDP anyway, so it's not much use for WebRTC.  Tor Browser Bundle, IMHO the only responsible way to use Tor, has disabled WebRTC from the beginning, precisely to avoid revealing the user's IP address.

VPN users who want to be safe should set permissions such that the browser can only access the VPN, not the physical network.  (I don't personally know how to do this, especially on all different operating systems!)

On Mon, Feb 2, 2015 at 9:16 AM, Tim Panton <thp@westhawk.co.uk<mailto:thp@westhawk.co.uk>> wrote:
Firstly- sorry for cross posting - Iím not sure which side of the line this falls.
Secondly - if this is covered, please let me know, I donít recall it cropping up...

Iíve been reading worried blogs that WEBRTC in browsers Ďleaksí the local Ďrealí ip addresses to the javascript.
The principle worriers are VPN users e.g https://cryptostorm.org/viewtopic.php?f=50&t=2867&p=13096#p13096
The concern is that this can be done without user notification (DataChannel request) and might be used to
identify or finger-print users. Clearly the most vulnerable are Tor users who are on a real routeable IP address
or directly on a carrier grade nat (eg android phones etc) where the IP may reveal the identity or location of the user.

It seems to me that this concern will be increased in the case of ipv6 deployments (MNOs).

Do we need to specify a config option on the browser ĎIím using a VPN donít expose my local IPí

Again, sorry if I missed this being hashed to death already.

T

Tim Panton - Web/VoIP consultant and implementor
www.westhawk.co.uk<http://www.westhawk.co.uk>




_______________________________________________
rtcweb mailing list
rtcweb@ietf.org<mailto:rtcweb@ietf.org>
https://www.ietf.org/mailman/listinfo/rtcweb
Received on Tuesday, 3 February 2015 09:31:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:43 UTC