W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: Ban ICE-LITE? Re: webRTC and Content Security Policy connect-src

From: Peter Thatcher <pthatcher@google.com>
Date: Fri, 12 Jan 2018 16:20:01 +0000
Message-ID: <CAJrXDUGe5APORV2STG8CKyUgoEFjGsRAZUt70UBOwCowOiOpVA@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Cc: Cullen Jennings <fluffy@iii.ca>, IƱaki Baz Castillo <ibc@aliax.net>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>
As I pointed out on the other thread (why do we have 2?), disabling ICE
lite doesn't really help.  You'd have to disable or limit full ICE as well,
and STUN, and TURN.   Any packets being sent by the browser where the JS
can control the destination port is sufficient to convey information (I
think; am I missing something?).


On Fri, Jan 12, 2018, 5:22 AM Harald Alvestrand <harald@alvestrand.no>
wrote:

> To me, it sounds like we should ban ICE-LITE altogether.
>
> We've got a lot of security story resting on the idea that the ICE
> request/response requires both ends to have seen the SDP.
> If that isn't true for ICE-LITE, then ICE-LITE is not safe for WebRTC.
>
> On 01/12/2018 01:20 PM, Sergio Garcia Murillo wrote:
>
> Missed it, that will prevent it, right.
>
> On 12/01/2018 13:11, T H Panton wrote:
>
>
> That's covered in my proposal:
>
> add a CSP turn-servers whitelist (to prevent leakage via the credentials)
>
>
>
>
Received on Friday, 12 January 2018 16:20:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 16:20:37 UTC