W3C home > Mailing lists > Public > public-webrtc@w3.org > February 2015

Re: [rtcweb] ICE exposes 'real' local IP to javascript

From: Roman Shpount <roman@telurix.com>
Date: Tue, 3 Feb 2015 12:15:46 -0500
Message-ID: <CAD5OKxtuiWTce5_fjGk2x2Vx8t-tvhcY5y289Z-ncUnmTLXXJQ@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Cc: Tim Panton new <thp@westhawk.co.uk>, Göran Eriksson AP <goran.ap.eriksson@ericsson.com>, "rtcweb@ietf.org >> rtcweb@ietf.org" <rtcweb@ietf.org>, public-webrtc <public-webrtc@w3.org> 
The thing I was wondering about was, should there be a confirmation dialog
when browser tries to setup any type of peer-to-peer connection? We get a
confirmation dialog when microphone or camera access is requested. I think
setting up a peer-to-peer connection is something that should be controlled
by the user on the per web site basis in the similar manner.

_____________
Roman Shpount

On Tue, Feb 3, 2015 at 11:42 AM, Harald Alvestrand <harald@alvestrand.no>
wrote:

> Some thoughts....
>
> 1) Datachannel is a red herring. There are many ways to do a valid
> CreateOffer with m-lines, which is all that is required:
>
> - Datachannel
> - OfferToReceiveVideo  / Audio
> - Generate a MediaStreamTrack from WebAudio
>
> and so on.
>
> 2) Speaking with my WebRTC hat on: IP addresses have to be surfaced at the
> API as long as the other side needs to try to send packets to these
> interfaces. We can't obfuscate them or encrypt them because they have to be
> communicated to the other party, through channels that aren't in the WebRTC
> spec.
>
> 3) Speaking with my (imaginary) implementors hat: One can imagine a
> (browser-wide) configuration setting for which addresses to allow access
> to, possibly with a whitelist of apps / pages / sites allowed more access
> than others. Normal people will never configure this (and if they tried,
> they would get it wrong), so the defaults need to be "safe enough for
> most", but sysadmins and the people with special reasons to care about
> security might.
>
> 4) Again wearing my WebRTC spec shepherding hat: It seems that the spec
> should make it clear:
> a) that IP addresses will be exposed (in SDP and in oncandidate callbacks)
> b) why IP addresses are being exposed
> but not really anything more than that.
>
> 5) Wearing my forum-shuffling hat, it seems that the "why" part belongs
> more in the IETF than in the WebRTC side of things - so I'd favour
> continuing this thread on rtcweb@ietf only....
>
> Harald
>
>
>
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>
Received on Tuesday, 3 February 2015 17:16:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:04 UTC