Re: [rtcweb] ICE exposes 'real' local IP to javascript from Göran Eriksson AP on 2015-02-05 (public-webrtc@w3.org from February 2015)

From: Göran Eriksson AP <goran.ap.eriksson@ericsson.com>
Date: Thu, 5 Feb 2015 08:00:40 +0000
To: Harald Alvestrand <harald@alvestrand.no>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <D0F8DAE2.97E6%goran.ap.eriksson@ericsson.com>

-----Original Message-----
From: Harald Alvestrand <harald@alvestrand.no>
Date: Thursday 5 February 2015 08:28
To: W3C WEBRTC <public-webrtc@w3.org>
Subject: Re: [rtcweb] ICE exposes 'real' local IP to javascript
Resent-From: W3C WEBRTC <public-webrtc@w3.org>
Resent-Date: Thursday 5 February 2015 08:28

>Den 05. feb. 2015 07:39, skrev Bjoern Hoehrmann:
>> * Harald Alvestrand wrote:
>>> On 02/03/2015 06:15 PM, Roman Shpount wrote:
>>>> The thing I was wondering about was, should there be a confirmation
>>>> dialog when browser tries to setup any type of peer-to-peer
>>>> connection? We get a confirmation dialog when microphone or camera
>>>> access is requested. I think setting up a peer-to-peer connection is
>>>> something that should be controlled by the user on the per web site
>>>> basis in the similar manner.
>>>
>>> We have discussed this before, and concluded that a confirmation dialog
>>> makes no more sense than having a confirmation dialog for performing an
>>> XHR request or opening a Websocket - neither of which requires
>>> confirmation dialogs today.
>> 
>> Neither of those disclose information not otherwise available to random
>> web sites, so that is not a valid comparison.
>> 
>
>"Not otherwise" is a misnomer here. They expose a ton of information
>(think HTTP headers), but the information they expose is inherent in
>providing the functionality they do provide. The reason we don't think
>of them as such is because we've become used to that information being
>provided.
>
>The question before us is whether or not the disclosure of information
>is an appropriate tradeoff in providing the service it's needed for.

Those web apis¹s indeed expose a lot of information as You describe, which
is why we the effort to try to secure them ongoing in WebAppSec. The
WebRTC API is/will also be subject to this desire/need. I¹m digging in the
material Martin referred to (webappsec issue here for the data channel,
https://www.w3.org/2011/webappsec/track/issues/67). Let¹s see if those
experimenting/using CSP for WebRTC step forward and share their views, :-).

>
>
>

Received on Thursday, 5 February 2015 08:01:08 UTC