W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: Ban ICE-LITE? Re: webRTC and Content Security Policy connect-src

From: Peter Thatcher <pthatcher@google.com>
Date: Fri, 12 Jan 2018 16:42:17 +0000
Message-ID: <CAJrXDUEr9exHLFp5ev6Xy5XQNswx8TnqJfCgV85pqR2tkjLxJA@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Cc: Cullen Jennings <fluffy@iii.ca>, IƱaki Baz Castillo <ibc@aliax.net>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Sorry, that's host and port.  So maybe domain-name-only remote ICE
candidates and TURN servers and STUN servers with whitelisted domains might
work.

On Fri, Jan 12, 2018, 8:20 AM Peter Thatcher <pthatcher@google.com> wrote:

> As I pointed out on the other thread (why do we have 2?), disabling ICE
> lite doesn't really help.  You'd have to disable or limit full ICE as well,
> and STUN, and TURN.   Any packets being sent by the browser where the JS
> can control the destination port is sufficient to convey information (I
> think; am I missing something?).
>
>
> On Fri, Jan 12, 2018, 5:22 AM Harald Alvestrand <harald@alvestrand.no>
> wrote:
>
>> To me, it sounds like we should ban ICE-LITE altogether.
>>
>> We've got a lot of security story resting on the idea that the ICE
>> request/response requires both ends to have seen the SDP.
>> If that isn't true for ICE-LITE, then ICE-LITE is not safe for WebRTC.
>>
>> On 01/12/2018 01:20 PM, Sergio Garcia Murillo wrote:
>>
>> Missed it, that will prevent it, right.
>>
>> On 12/01/2018 13:11, T H Panton wrote:
>>
>>
>> That's covered in my proposal:
>>
>> add a CSP turn-servers whitelist (to prevent leakage via the credentials)
>>
>>
>>
>>
Received on Friday, 12 January 2018 16:42:50 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 January 2018 16:42:51 UTC