- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Fri, 06 Feb 2015 07:02:51 +0100
- To: public-webrtc@w3.org
Den 06. feb. 2015 00:16, skrev Bjoern Hoehrmann: > * Justin Uberti wrote: >> I think the concern over private IP addresses is a side issue. > > So far my impression is that the Working Group has not duly considered > the concern and we may have to ask the W3C Director to do so instead. > Bjørn, please don't use process threats; we've managed to do without them so far. I would see much more benefit in someone trying for a writeup that describes precisely the threat they see, what mitigations they see against the possible threat, and - importantly - what functionality we would lose by implementing those mitigations. So far, we've been tossing around the term "private IP address" without a precise definition, stating that it is a privacy concern without specifying what attacks are possible based on that information, tossing around words about possible mitigations (user prompts, browser configurations), and not tying those possible mitigations to possible loss of functionality (user prompt blindness, lessened usability, failures in setting up intra-LAN peer connections). This is not engineering. It's possible to write code that simulates what would happen if you didn't expose some IP addresses (strip them out of the SDP before sending the createOffer result to the other entity, for SDP users); running tests with that would give us some real data on whether those addresses are useful, and in what situations. More light, less heat, please.
Received on Friday, 6 February 2015 06:03:22 UTC