[whatwg] PeerConnection: encryption feedback

On Wed, Mar 23, 2011 at 6:25 PM, Harald Alvestrand <harald at alvestrand.no>wrote:

> The STUN server is used to obtain your own "public" IP address, for
> constructing candidate lists.
> The STUN server is not involved in the ICE handshake.
>

The STUN server is not.  I believe the STUN *protocol* (packet format),
however, is.  See RFC5245 section 2.2 "Connectivity Checks".

On Wed, Mar 23, 2011 at 6:43 PM, Ian Hickson <ian at hixie.ch> wrote:
> directly. The concern is presumably about whether the TURN server, the
> remote peer, and the page origin can collude to cause the browser to
> attack the victim directly.

>From a *cursory* (an hour or so) examination of the ICE and STUN protocols,
it appears that even if the web server, STUN/TURN server(s) and a remote
peer are hostile, it should not be possible to convince a user's browser
(via its ICE agent) to send packets to an arbitrary IP and port.  It should
only be possible to send packets to an IP which has handshaked a port via
ICE.  Obviously, this needs to be confirmed by an expert in these protocols.

*If* that's accurate, does that remove the masking requirement?  16 bytes
per packet is significant overhead to pay if it's not needed.

-- 
Glenn Maynard

Received on Wednesday, 23 March 2011 16:06:16 UTC