As I pointed out on the other thread (why do we have 2?), disabling ICE
lite doesn't really help. You'd have to disable or limit full ICE as well,
and STUN, and TURN. Any packets being sent by the browser where the JS
can control the destination port is sufficient to convey information (I
think; am I missing something?).
On Fri, Jan 12, 2018, 5:22 AM Harald Alvestrand <harald@alvestrand.no>
wrote:
> To me, it sounds like we should ban ICE-LITE altogether.
>
> We've got a lot of security story resting on the idea that the ICE
> request/response requires both ends to have seen the SDP.
> If that isn't true for ICE-LITE, then ICE-LITE is not safe for WebRTC.
>
> On 01/12/2018 01:20 PM, Sergio Garcia Murillo wrote:
>
> Missed it, that will prevent it, right.
>
> On 12/01/2018 13:11, T H Panton wrote:
>
>
> That's covered in my proposal:
>
> add a CSP turn-servers whitelist (to prevent leakage via the credentials)
>
>
>
>