Re: [rtcweb] ICE exposes 'real' local IP to javascript from Harald Alvestrand on 2015-02-06 (public-webrtc@w3.org from February 2015)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Fri, 06 Feb 2015 15:13:19 +0100
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: public-webrtc@w3.org
Message-ID: <54D4CBFF.3020509@alvestrand.no>

Den 06. feb. 2015 14:46, skrev Bjoern Hoehrmann:
> * Harald Alvestrand wrote:
>> Den 06. feb. 2015 11:55, skrev Bjoern Hoehrmann:
>>> There are any number of ways to discourage use of this information for
>>> purposes other than those intended, starting with saying that it is not
>>> to be used for other purposes in the specification. User interaction can
>>> be required before sending such information (think file uploads and pop-
>>> up blockers), browsers could indicate when they send the addresses using
>>> some sort of notification so obtaining the information covertly would be
>>> difficult, the API could give sites the option to omit private addresses
>>> to avoid such notifications; sending private addresses could be disabled
>>> if the code is running in some iframe and not the main page. And so on
>>> and so forth. None of this would come with an actual loss of features.
>>
>> Who would obey these instructions?
>> Remember that we're assuming that the browsers run Javascript written by
>> the attacker, so we can't depend on the Javascript specification.
> 
> If you are referring to the first point then most notable "attackers"
> are subject to social controls like bad press and regulatory entities,
> which work much better than the proposed "do nothing" alternative.
> 

I don't think we're communicating....

you say:

"saying that it is not to be used for other purposes in the specification."

I assume that the specification is the one that says this, and "it"
refers to IP address information.

Who would we (as specification writers) place this obligation upon?

Browser implementors?
Web page writers?
Some yet unnamed third party?

As an example of requiring the Web page developers to behave a certain
way: At the moment the European Commission's ruling (which has
considerably more legal force behind it than standards specifications)
is that Web site managers have to notify their users that they use
cookies. How effective is that requirement in stopping the use of
cookies for nefarious purposes?

Received on Friday, 6 February 2015 14:13:49 UTC