Ban ICE-LITE? Re: webRTC and Content Security Policy connect-src from Harald Alvestrand on 2018-01-12 (public-webrtc@w3.org from January 2018)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Fri, 12 Jan 2018 14:19:01 +0100
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, T H Panton <thp@westhawk.co.uk>
Cc: Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
Message-ID: <0f2c5c85-303d-2e59-ddf3-1361986f64be@alvestrand.no>

To me, it sounds like we should ban ICE-LITE altogether.

We've got a lot of security story resting on the idea that the ICE
request/response requires both ends to have seen the SDP.
If that isn't true for ICE-LITE, then ICE-LITE is not safe for WebRTC.

On 01/12/2018 01:20 PM, Sergio Garcia Murillo wrote:
> Missed it, that will prevent it, right.
>
> On 12/01/2018 13:11, T H Panton wrote:
>>
>> That's covered in my proposal:
>>
>>>     add a CSP turn-servers whitelist (to prevent leakage via the
>>>     credentials)
>>
>

Received on Friday, 12 January 2018 13:20:06 UTC