W3C home > Mailing lists > Public > public-webrtc@w3.org > February 2015

Re: [rtcweb] ICE exposes 'real' local IP to javascript

From: tim panton <thp@westhawk.co.uk>
Date: Wed, 4 Feb 2015 08:53:25 +0000
Cc: Harald Alvestrand <harald@alvestrand.no>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-Id: <160E6643-D423-438E-8C1C-F352E7F555FD@westhawk.co.uk>
To: Martin Thomson <martin.thomson@gmail.com>

> On 4 Feb 2015, at 06:28, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 4 February 2015 at 16:47, Harald Alvestrand <harald@alvestrand.no> wrote:
>> We have discussed this before, and concluded that a confirmation dialog
>> makes no more sense than having a confirmation dialog for performing an
>> XHR request or opening a Websocket - neither of which requires
>> confirmation dialogs today.

Yes, but I don’t think we considered the VPN-for-privacy angle at that point.
Xhr and Websockets don’t reveal all the local IP addresses - just the one that is configured 
to be used, or indeed no local IPs if the user has elected to use a http(s) proxy.

> 
> 
> Yes.  Every time something like this comes up, someone inevitably
> suggests that asking users is an acceptable way to deal with it, as if
> somehow that transfers the responsibility for solving the problem onto
> users.  Even if we could communicate the risks effectively, which I
> don't believe we can, I still wouldn't be in favour of a dialog.
> 
> There are two concerns here:
> 1. fingerprinting - for which I believe the only recourse is to
> disable the feature.  The combination of device enumeration and SDP
> provides a fairly rich surface even without IP addresses.
> 2. exposure of privacy-VPN users.
> 
> This latter is what people seem most concerned with at this point in
> time.  And I'm not against someone building options into their browser
> to manage this.  That, or, if the VPN is for privacy-preserving
> purposes, the interfaces that are potentially revealing could be
> disabled.  Neither option requires action by this group.

I disagree, we should at least document the risk, and in my view we should 
recommend the provision of a browser configuration mechanism to disable specific interfaces from appearing in ICE.

In case folks are assuming this is an obscure issue, I’d point out that there is a pretty common use-case for privacy VPNs/proxies: watching domestic IPTV when traveling.
Whilst we don’t want to condone license infringements it would be a shame if folks turned off webRTC just when they
needed it most :-)

T.


> 
Received on Wednesday, 4 February 2015 08:54:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:43 UTC