W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: webRTC and Content Security Policy connect-src

From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Fri, 12 Jan 2018 17:30:49 +0100
Message-ID: <CA+ag07YkqMnP3rJu3URDqy2ujvjce_D6AO3HmRZibcoNQ8bUWA@mail.gmail.com>
To: Peter Thatcher <pthatcher@google.com>
Cc: T H Panton <thp@westhawk.co.uk>, Cullen Jennings <fluffy@iii.ca>, Iñaki Baz Castillo <ibc@aliax.net>, "public-webrtc@w3.org" <public-webrtc@w3.org>
I agree.

That is why my original proposal was to disable webrtc if CSP it's in use.

We could add an "webrtc" token for connect-src to enable it back knowing
the risks.

For what it seems, anything more fine grained would be difficult to get it
working.


Best regards
Sergio



El 12/1/2018 17:16, "Peter Thatcher" <pthatcher@google.com> escribió:

> Why is this ICE-lite specific?   A controlling ICE agent will begin
> sending data as soon as it had received a check response, regardless of
> whether or not it has received a check yet.   And that happens for full
> clients as well.
>
> I think you need to go further and say something like "don't send data
> until you get a check", which is like a reverse consent check.
>
>
> But even that might not be good enough.   You could, for example, convey
> information to the server simply by controlling the ports to which you send
> checks, which is driven by the adding of remote candidates, which is
> controlled by JS.
>
> Even if we could prevent that, there is probably a way to convey
> information by controlling the IP or port used for gathering server
> reflexive or relay addresses via STUN or TURN.
>
> How far down the rabbit hole of disabling things you want to go?
>
>
>
>
> On Fri, Jan 12, 2018, 3:04 AM T H Panton <thp@westhawk.co.uk> wrote:
>
>> In the call yesterday, I said I'd try and summarize the concerns that
>> have been raised about 'Drive-by webRTC CSP' attacks.
>>
>> Content Security Policy on web pages allows a site developer to proscribe
>> what their page can do.
>> This is intended to mitigate the risks of XSS and other injection attacks.
>>
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/
>> Content-Security-Policy/connect-src
>>
>> This reduces exposure to included 3rd party scripts being tampered with
>> at source
>> e.g. if someone hacks https://webrtc.github.io/adapter/adapter-latest.js
>>  - the page may not function correctly, but it should not be able to send
>> sensitive
>> data to domains that aren't whitelisted in the CSP connect-src header.
>>
>> This prevents a web-font supplier from capturing the credit card data
>> from your
>> e-commerce site shopping forms.
>>
>> The connect-src explicitly covers websockets. It does not mention
>> DataChannels or webRTC.
>>
>> In principle you might not think that matters, since in order to set up a
>> data-channel
>> you need to perform an SDP exchange, and that SDP exchange would have to
>> go through
>> a whitelisted server.
>>
>> It turns out in the case of ice-lite the browser does not verify that the
>> remote party has
>> ever seen it's SDP - ICE responses do not require the requester's ufrag
>> or pass.
>> This means that the malicious javascript does not need to send an answer
>> to a
>> cooperating server.
>>
>> So it would be possible to bury static SDP for an ice-lite offer in
>> malicious javascript.
>> The offer would point to a malicious server that implemented ice-lite on
>> a fixed port
>> (for example) and accepted data channels without checking the DTLS
>> fingerprint.
>>
>> The javascript would apply this to a peerconnection and drop the
>> generated answer in the
>> bit-bucket.
>>
>> The malicious javascript can now inspect the page DOM and send all the
>> form values it
>> finds over a datachannel to the malicious server. Despite the fact that
>> the conscientious developer
>> had configured connect-src to mitigate this risk.
>>
>> At the heart of this is that ice-lite breaks the conceptual linkage
>> between the 5 tuple and the
>> page origin.
>>
>> Proposal:
>> a) Ban ice-lite on pages with any CSP set
>> c) add a allow-ice-lite CSP
>> b) add a CSP turn-servers whitelist (to prevent leakage via the
>> credentials)
>> c) test plain ICE to make sure it fails if the far side sends no valid
>> requests.
>> d) ensure that any new ICE api's don't make this mistake (worse)
>>
>> Thanks to ibc@aliax.net for starting the discussion and
>> sergio.garcia.murillo@gmail.com for pointing me at CSP connect-src:
>> https://twitter.com/ibc_tw/status/949993145978245120
>>
>> P.S.
>> As you will see in the twitter thread, this isn't specific to the
>> datachannel - one can exfiltrate data over DTMF or G711 perfectly easily.
>>
>> Tim.
>>
>
Received on Friday, 12 January 2018 16:31:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 16:31:17 UTC