Re: [rtcweb] Revealing IP addresses (Re: Review of draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II))
Richard Barnes <rlb@ipv.sx> Mon, 04 February 2013 22:36 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74FF421F8B69 for <rtcweb@ietfa.amsl.com>; Mon, 4 Feb 2013 14:36:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.48
X-Spam-Level:
X-Spam-Status: No, score=0.48 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FqGWGTIOjYB for <rtcweb@ietfa.amsl.com>; Mon, 4 Feb 2013 14:36:06 -0800 (PST)
Received: from mail-la0-x22f.google.com (la-in-x022f.1e100.net [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 0417321F8B61 for <rtcweb@ietf.org>; Mon, 4 Feb 2013 14:36:05 -0800 (PST)
Received: by mail-la0-f47.google.com with SMTP id fj20so5156884lab.34 for <rtcweb@ietf.org>; Mon, 04 Feb 2013 14:36:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=vNSUoEnDaOtnNK8bau+5tW7WjW8FnlcBJ4Tu2wJXgxU=; b=GtM56MpcPALsvfsoQEfsJ1Dg9yYus5k8lM2wi6hem2HGU7kZKRYvI3XxgSi+r988IT /xLRFPd6faY6iOw8rAWvTbGVJsdSZFkC9ck96nVFChRWy1Y7NJgr1E97O6iQ5AoasB84 xrSIZGINwtT34h+gYNU0oCbDNxtrEsU8u7RxBi6dbOPBmQiTXHsNfmnG52D9CYHaWoCQ v+/sGwDd4Vm+WrGabojlSLgTuTzTPv3MOMLU3+QFqIIWjCKkpgIIwKElW/vrJdAF+P+2 6X3Y9sDdV81T0DfENtulbktyFPTvGMUxam3NSY4vEDmj59n4OO0astrTiFxFDL9LXaCr OaGQ==
MIME-Version: 1.0
X-Received: by 10.112.27.34 with SMTP id q2mr8961598lbg.56.1360017364720; Mon, 04 Feb 2013 14:36:04 -0800 (PST)
Received: by 10.112.142.170 with HTTP; Mon, 4 Feb 2013 14:36:04 -0800 (PST)
X-Originating-IP: [174.254.182.97]
In-Reply-To: <AE1A6B5FD507DC4FB3C5166F3A05A484161C5D86@tk5ex14mbxc272.redmond.corp.microsoft.com>
References: <50F97303.4070906@ericsson.com> <CABkgnnWcqZ+dU+87djBQ0z47ufB-Go13mWyPi_ZQA8BPinQJEA@mail.gmail.com> <BLU002-W1705DC54006131B55B432A931F0@phx.gbl> <BLU002-W210B8DBB897CAF5BECC501A931F0@phx.gbl> <5109265F.6040106@ericsson.com> <BLU002-W123BE6BAA58BE0B26DEA28F931E0@phx.gbl> <510B9A41.8000804@ericsson.com> <510B9FD8.6000008@alvestrand.no> <510BB070.9040602@ericsson.com> <510CEAF9.6020509@alvestrand.no> <510D0D14.4050301@ericsson.com> <510D6039.3060501@alvestrand.no> <CABcZeBMyH7KThkrqZRy4b2eLOpELnPhNsaYpL3D4EcbwG9XRyg@mail.gmail.com> <479FFA31-EE78-4E6E-A8BB-440DF9A82A74@cs.georgetown.edu> <CABcZeBPz2X+CkcrVqdGk-Xzf98VEdND8H+Drxs+0=Mou=xNzKg@mail.gmail.com> <984674BE-1A5C-4728-89C1-F2EAAD1A3D6B@standardstrack.com> <CABcZeBPk+9-qJhScSGcVhTr9=077TiU8NERqNabpq-LtVXKTjQ@mail.gmail.com> <BA4D4176-729C-47AF-9AAC-816F4BC97F94@standardstrack.com> <AE1A6B5FD507DC4FB3C5166F3A05A484161C588D@tk5ex14mbxc272.redmond.corp.microsoft.com> <C138FE72-DA82-49DF-9834-78289CC84F1C@rtfm.com> <AE1A6B5FD507DC4FB3C5166F3A05A484161C5D86@tk5ex14mbxc272.redmond.corp.microsoft.com>
Date: Mon, 04 Feb 2013 17:36:04 -0500
Message-ID: <CAL02cgQtB=vhN0sHOYsi+wqoU4QnuomHTZUYAQR5qsnSOwQbtw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Matthew Kaufman (SKYPE)" <matthew.kaufman@skype.net>
Content-Type: multipart/alternative; boundary="bcaec554d9f0e99bb804d4edb7b9"
X-Gm-Message-State: ALoCoQlr/qTIWR/TdmtvedpmgQEcqb/EScz9q8QTXABywr/B5MAkV3uJPG7RRfXwhtEGOSa8eblx
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Revealing IP addresses (Re: Review of draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II))
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 22:36:07 -0000
It seems like #1 is a special case of #2, in which the browser overrides whatever flag is set. It seems like even in #2, there could be chrome to mitigate the risk of pages lying. I agree that #1 would not require standardization. --Richard On Monday, February 4, 2013, Matthew Kaufman (SKYPE) wrote: > I still don't understand how I, as a user, can possibly trust your web > site to set the flags appropriately so that my browser doesn't execute > connectivity checks to someone I'm worried might learn my IP address. > > I get it in option #1. I set my browser that way, I trust my browser > vendor, end of story. > > In case #2, I go to your site, I don't trust your site, but I decide to > use it anyway. It gives my addresses away when I do my HTTP GET from it. > Then I make a call, and it sets the flags however it wants. Or it sets the > flags to "don't do checks except over TURN" and then it sets up a TURN > server, but points the TURN server to be the address of the bad guy I > didn't want my addresses disclosed to and so my connection attempt to that > TURN server reveals my addresses, etc. How does any of this actually help > me? > > If I really trust the site to protect me, the site runs a media proxy and > only has me run ICE checks against that (because those are the only far > candidates in the SDP). It relays the traffic. Done. > > Matthew Kaufman > > -----Original Message----- > From: Eric Rescorla [mailto:ekr@rtfm.com] > Sent: Monday, February 4, 2013 2:05 PM > To: Matthew Kaufman (SKYPE) > Cc: Eric Burger; rtcweb@ietf.org > Subject: Re: [rtcweb] Revealing IP addresses (Re: Review of > draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II)) > > > > On Feb 4, 2013, at 12:56, "Matthew Kaufman (SKYPE)" < > matthew.kaufman@skype.net> wrote: > > > I see two possible readings (either or both of them might be useful): > > > > 1. The browser must have a way for its user to force the use of TURN > servers (and this is only useful if the user also provides the address and > credentials for the TURN servers) for transmission of media. > > > > 2. The browser must have an API that keeps some kinds of candidates from > being included in the SDP the API generates. > > > > #1 seems like a very useful thing to require for users who might > actually care about their privacy, but I don't think that requirement > belongs in an IETF document but rather the W3C requirements TR for WEBRTC, > that appears to have not even been started. > > > > > I had 2 in mind. I don't think #1 needs standardization > > > > #2 seems highly questionable to me, due to the large number of failure > modes in both the interpretation of the spec and the ability to circumvent > the intent... > > > > For #2 do you mean "API flag to prevent local candidates from being > included" or "API flag to prevent server-reflexive STUN-learned candidates > from being included" or both? > > > > For #2 how do you propose a malicious application or page injection not > simply change the flag? > > > > The intent here is to allow the server to offer an anonymous calling > service so this threat isn't relevant > > > > For #2 why can't the same behavior be accomplished by including all the > candidates in the SDP and then letting the JavaScript remove the > "dangerous" candidates before sending the SDP to the server? > > > > This I have a good answer to. You need to suppress checks on this > candidates because those reveal your address. And even if you think > stripping in sdp before set local accomplishes this how do you do it for > trickle ice? > > > > For #2 why can't the same behavior be accomplished by including all the > candidates in the SDP, sending it to the server (which you must trust > anyway, as it also can change the flag itself *or* derive your IP address > by looking at where you load pages from), and having the server remove the > "dangerous" candidates before sending them on to the far client? > > > > Same reason > > Matthew Kaufman > > > > > > -----Original Message----- > > From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On > > Behalf Of Eric Burger > > Sent: Monday, February 4, 2013 2:53 AM > > To: Eric Rescorla > > Cc: rtcweb@ietf.org > > Subject: Re: [rtcweb] Revealing IP addresses (Re: Review of > > draft-ietf-rtcweb-use-cases-and-requirements-10 (Part II)) > > > > Under what circumstances would it be up to the Web server to decide to > make the client interaction quasi-anonymous? Would that not be a entirely > up to and the responsibility of the client? By definition, the Web server > is not anonymous -- the user had to reach it somehow to get the page in the > first place. Likewise, it is well within the power of the server to > obfuscate its media address. It is quite likely media is NOT coming from > the same IP address as the Web page under normal circumstances, so the > server has built-in opportunities to obfuscate its address. Conversely, it > is well within the capabilities of the browser to figure out how to > obfuscate its media address. More importantly, I have yet to hear a cogent > use case for the server saying, "I want this interaction to not have IP > addresses *TO PROTECT YOU*." If you are in a scenario where you need > protection, you cannot depend on the server. You must depend on yourself, > which means you will have a browser that will pr > otect you. Moreover, will not a bad server simply always tell all > browsers it connects with to open lots of anonymity relays to DDoS the > relays? Saying we want to build something that is only sometimes useful and > can only be useful if we trust all sides to do the right thing does not > sound very useful. > > > > Am I m
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Gunnar Hellstrom
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Gunnar Hellstrom
- [rtcweb] WG Last Call: draft-ietf-rtcweb-use-case… Magnus Westerlund
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Eggert, Lars
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Eggert, Lars
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Stefan Håkansson LK
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Harald Alvestrand
- Re: [rtcweb] Review of draft-ietf-rtcweb-use-case… Stefan Håkansson LK
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Cullen Jennings (fluffy)
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Martin Thomson
- [rtcweb] Review of draft-ietf-rtcweb-use-cases-an… Bernard Aboba
- [rtcweb] Review of draft-ietf-rtcweb-use-cases-an… Bernard Aboba
- [rtcweb] 2119 language in requirements (Re: Revie… Harald Alvestrand
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Harald Alvestrand
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Stefan Håkansson LK
- Re: [rtcweb] Review of draft-ietf-rtcweb-use-case… Stefan Håkansson LK
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Matthew Kaufman (SKYPE)
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Mary Barnes
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Harald Alvestrand
- Re: [rtcweb] Review of draft-ietf-rtcweb-use-case… Bernard Aboba
- Re: [rtcweb] Review of draft-ietf-rtcweb-use-case… Bernard Aboba
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Martin Thomson
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Martin Thomson
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Gunnar Hellstrom
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Harald Alvestrand
- [rtcweb] Wiretapping (Re: Review of draft-ietf-rt… Harald Alvestrand
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Barry Dingle
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Harald Alvestrand
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Martin Thomson
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Harald Alvestrand
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Stefan Håkansson LK
- Re: [rtcweb] Review of draft-ietf-rtcweb-use-case… Stefan Håkansson LK
- Re: [rtcweb] Review of draft-ietf-rtcweb-use-case… Stefan Håkansson LK
- [rtcweb] Revealing IP addresses (Re: Review of dr… Harald Alvestrand
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Stefan Håkansson LK
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Emil Ivov
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Bernard Aboba
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Barry Dingle
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Dale R. Worley
- Re: [rtcweb] Playing regulator Bernard Aboba
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Gunnar Hellstrom
- Re: [rtcweb] Playing regulator Gunnar Hellstrom
- Re: [rtcweb] Playing regulator Bernard Aboba
- Re: [rtcweb] Playing regulator Richard Shockey
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Harald Alvestrand
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Stefan Håkansson LK
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Harald Alvestrand
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Eric Rescorla
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Burger Eric
- Re: [rtcweb] Playing regulator Eric Burger
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Eric Rescorla
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Eric Burger
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Eric Rescorla
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Eric Burger
- Re: [rtcweb] Revealing IP addresses (Re: Review o… John Leslie
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Matthew Kaufman (SKYPE)
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Dan Wing
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Eric Rescorla
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Matthew Kaufman (SKYPE)
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Richard Barnes
- Re: [rtcweb] Revealing IP addresses (Re: Review o… Matthew Kaufman (SKYPE)
- Re: [rtcweb] WG Last Call: draft-ietf-rtcweb-use-… Magnus Westerlund