IETF Logo Mail Archive

Re: [rtcweb] Revealing IP addresses (Re: Review of draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II))

Richard Barnes <rlb@ipv.sx> Mon, 04 February 2013 22:36 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74FF421F8B69 for <rtcweb@ietfa.amsl.com>; Mon, 4 Feb 2013 14:36:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.48
X-Spam-Level:
X-Spam-Status: No, score=0.48 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FqGWGTIOjYB for <rtcweb@ietfa.amsl.com>; Mon, 4 Feb 2013 14:36:06 -0800 (PST)
Received: from mail-la0-x22f.google.com (la-in-x022f.1e100.net [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 0417321F8B61 for <rtcweb@ietf.org>; Mon, 4 Feb 2013 14:36:05 -0800 (PST)
Received: by mail-la0-f47.google.com with SMTP id fj20so5156884lab.34 for <rtcweb@ietf.org>; Mon, 04 Feb 2013 14:36:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=vNSUoEnDaOtnNK8bau+5tW7WjW8FnlcBJ4Tu2wJXgxU=; b=GtM56MpcPALsvfsoQEfsJ1Dg9yYus5k8lM2wi6hem2HGU7kZKRYvI3XxgSi+r988IT /xLRFPd6faY6iOw8rAWvTbGVJsdSZFkC9ck96nVFChRWy1Y7NJgr1E97O6iQ5AoasB84 xrSIZGINwtT34h+gYNU0oCbDNxtrEsU8u7RxBi6dbOPBmQiTXHsNfmnG52D9CYHaWoCQ v+/sGwDd4Vm+WrGabojlSLgTuTzTPv3MOMLU3+QFqIIWjCKkpgIIwKElW/vrJdAF+P+2 6X3Y9sDdV81T0DfENtulbktyFPTvGMUxam3NSY4vEDmj59n4OO0astrTiFxFDL9LXaCr OaGQ==
MIME-Version: 1.0
X-Received: by 10.112.27.34 with SMTP id q2mr8961598lbg.56.1360017364720; Mon, 04 Feb 2013 14:36:04 -0800 (PST)
Received: by 10.112.142.170 with HTTP; Mon, 4 Feb 2013 14:36:04 -0800 (PST)
X-Originating-IP: [174.254.182.97]
In-Reply-To: <AE1A6B5FD507DC4FB3C5166F3A05A484161C5D86@tk5ex14mbxc272.redmond.corp.microsoft.com>
References: <50F97303.4070906@ericsson.com> <CABkgnnWcqZ+dU+87djBQ0z47ufB-Go13mWyPi_ZQA8BPinQJEA@mail.gmail.com> <BLU002-W1705DC54006131B55B432A931F0@phx.gbl> <BLU002-W210B8DBB897CAF5BECC501A931F0@phx.gbl> <5109265F.6040106@ericsson.com> <BLU002-W123BE6BAA58BE0B26DEA28F931E0@phx.gbl> <510B9A41.8000804@ericsson.com> <510B9FD8.6000008@alvestrand.no> <510BB070.9040602@ericsson.com> <510CEAF9.6020509@alvestrand.no> <510D0D14.4050301@ericsson.com> <510D6039.3060501@alvestrand.no> <CABcZeBMyH7KThkrqZRy4b2eLOpELnPhNsaYpL3D4EcbwG9XRyg@mail.gmail.com> <479FFA31-EE78-4E6E-A8BB-440DF9A82A74@cs.georgetown.edu> <CABcZeBPz2X+CkcrVqdGk-Xzf98VEdND8H+Drxs+0=Mou=xNzKg@mail.gmail.com> <984674BE-1A5C-4728-89C1-F2EAAD1A3D6B@standardstrack.com> <CABcZeBPk+9-qJhScSGcVhTr9=077TiU8NERqNabpq-LtVXKTjQ@mail.gmail.com> <BA4D4176-729C-47AF-9AAC-816F4BC97F94@standardstrack.com> <AE1A6B5FD507DC4FB3C5166F3A05A484161C588D@tk5ex14mbxc272.redmond.corp.microsoft.com> <C138FE72-DA82-49DF-9834-78289CC84F1C@rtfm.com> <AE1A6B5FD507DC4FB3C5166F3A05A484161C5D86@tk5ex14mbxc272.redmond.corp.microsoft.com>
Date: Mon, 04 Feb 2013 17:36:04 -0500
Message-ID: <CAL02cgQtB=vhN0sHOYsi+wqoU4QnuomHTZUYAQR5qsnSOwQbtw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Matthew Kaufman (SKYPE)" <matthew.kaufman@skype.net>
Content-Type: multipart/alternative; boundary="bcaec554d9f0e99bb804d4edb7b9"
X-Gm-Message-State: ALoCoQlr/qTIWR/TdmtvedpmgQEcqb/EScz9q8QTXABywr/B5MAkV3uJPG7RRfXwhtEGOSa8eblx
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Revealing IP addresses (Re: Review of draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II))
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 22:36:07 -0000

It seems like #1 is a special case of #2, in which the browser overrides
whatever flag is set.  It seems like even in #2, there could be chrome to
mitigate the risk of pages lying.

I agree that #1 would not require standardization.

--Richard

On Monday, February 4, 2013, Matthew Kaufman (SKYPE) wrote:

> I still don't understand how I, as a user, can possibly trust your web
> site to set the flags appropriately so that my browser doesn't execute
> connectivity checks to someone I'm worried might learn my IP address.
>
> I get it in option #1. I set my browser that way, I trust my browser
> vendor, end of story.
>
> In case #2, I go to your site, I don't trust your site, but I decide to
> use it anyway. It gives my addresses away when I do my HTTP GET from it.
> Then I make a call, and it sets the flags however it wants. Or it sets the
> flags to "don't do checks except over TURN" and then it sets up a TURN
> server, but points the TURN server to be the address of the bad guy I
> didn't want my addresses disclosed to and so my connection attempt to that
> TURN server reveals my addresses, etc. How does any of this actually help
> me?
>
> If I really trust the site to protect me, the site runs a media proxy and
> only has me run ICE checks against that (because those are the only far
> candidates in the SDP). It relays the traffic. Done.
>
> Matthew Kaufman
>
> -----Original Message-----
> From: Eric Rescorla [mailto:ekr@rtfm.com]
> Sent: Monday, February 4, 2013 2:05 PM
> To: Matthew Kaufman (SKYPE)
> Cc: Eric Burger; rtcweb@ietf.org
> Subject: Re: [rtcweb] Revealing IP addresses (Re: Review of
> draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II))
>
>
>
> On Feb 4, 2013, at 12:56, "Matthew Kaufman (SKYPE)" <
> matthew.kaufman@skype.net> wrote:
>
> > I see two possible readings (either or both of them might be useful):
> >
> > 1. The browser must have a way for its user to force the use of TURN
> servers (and this is only useful if the user also provides the address and
> credentials for the TURN servers) for transmission of media.
> >
> > 2. The browser must have an API that keeps some kinds of candidates from
> being included in the SDP the API generates.
> >
> > #1 seems like a very useful thing to require for users who might
> actually care about their privacy, but I don't think that requirement
> belongs in an IETF document but rather the W3C requirements TR for WEBRTC,
> that appears to have not even been started.
>
> >
>
> I had 2 in mind. I don't think #1 needs standardization
>
>
> > #2 seems highly questionable to me, due to the large number of failure
> modes in both the interpretation of the spec and the ability to circumvent
> the intent...
> >
> > For #2 do you mean "API flag to prevent local candidates from being
> included" or "API flag to prevent server-reflexive STUN-learned candidates
> from being included" or both?
> >
> > For #2 how do you propose a malicious application or page injection not
> simply change the flag?
> >
>
> The intent here is to allow the server to offer an anonymous calling
> service so this threat isn't relevant
>
>
> > For #2 why can't the same behavior be accomplished by including all the
> candidates in the SDP and then letting the JavaScript remove the
> "dangerous" candidates before sending the SDP to the server?
> >
>
> This I have a good answer to. You need to suppress checks on this
> candidates because those reveal your address. And even if you think
> stripping in sdp before set local accomplishes this how do you do it for
> trickle ice?
>
>
> > For #2 why can't the same behavior be accomplished by including all the
> candidates in the SDP, sending it to the server (which you must trust
> anyway, as it also can change the flag itself *or* derive your IP address
> by looking at where you load pages from), and having the server remove the
> "dangerous" candidates before sending them on to the far client?
> >
>
> Same reason
> > Matthew Kaufman
> >
> >
> > -----Original Message-----
> > From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On
> > Behalf Of Eric Burger
> > Sent: Monday, February 4, 2013 2:53 AM
> > To: Eric Rescorla
> > Cc: rtcweb@ietf.org
> > Subject: Re: [rtcweb] Revealing IP addresses (Re: Review of
> > draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II))
> >
> > Under what circumstances would it be up to the Web server to decide to
> make the client interaction quasi-anonymous? Would that not be a entirely
> up to and the responsibility of the client? By definition, the Web server
> is not anonymous -- the user had to reach it somehow to get the page in the
> first place. Likewise, it is well within the power of the server to
> obfuscate its media address. It is quite likely media is NOT coming from
> the same IP address as the Web page under normal circumstances, so the
> server has built-in opportunities to obfuscate its address. Conversely, it
> is well within the capabilities of the browser to figure out how to
> obfuscate its media address. More importantly, I have yet to hear a cogent
> use case for the server saying, "I want this interaction to not have IP
> addresses *TO PROTECT YOU*." If you are in a scenario where you need
> protection, you cannot depend on the server. You must depend on yourself,
> which means you will have a browser that will pr
>  otect you. Moreover, will not a bad server simply always tell all
> browsers it connects with to open lots of anonymity relays to DDoS the
> relays? Saying we want to build something that is only sometimes useful and
> can only be useful if we trust all sides to do the right thing does not
> sound very useful.
> >
> > Am I m

v2.23.0 | Report a Bug | By Email