
“We are considering adding an extension to restrict the use of WebRTC” - eloycoto
https://bugzilla.mozilla.org/show_bug.cgi?id=959893#c116
======
jnbiche
I don't understand why a peer-to-peer network connection is different from
Ajax. Browsers don't require user approval for 3rd-party XMLHttpRequest
connections. WebSockets are even more permissive. Why is WebRTC being singled
out here?

If I were a conspiracy-minded person (I'm not), I'd have to wonder if this was
some kind of corporate-driven attempt to suppress peer-to-peer networks. In
fact, I do think this is being done in good faith (even though I strongly
disagree), but other users will not be so understanding.

Edit: s/advertiser-driven/corporate-driven I think there are a _lot_ of big
companies, particularly social media, that have a huge vested interest in
suppressing web-based peer-to-peer networks. Not claiming that's what's
happening here, but the threat posed by WebRTC to those companies is very
real. At present, a peer-to-peer Twitter would not be impossible to pull off
technically with WebRTC, a DHT, and a modest number of STUN servers. The hard
part is convincing users it's in their best interest to switch, but if that
could be accomplished...

~~~
yAnonymous
For one, the way it's implemented now, it's only a matter of time until we see
WebRTC torrent malware downloading copyrighted files to give copyright holders
a reason to sue / C&D users.

In a time where sharing an MP3 can cost thousands of dollars, having a
protocol that can share data like that without the users' consent is crazy.

~~~
langarto
What is crazy is that “sharing an MP3 can cost thousands of dollars”, not any
protocol.

~~~
yAnonymous
Agreed, but it's not something that we can easily change.

Cases like the one I described could actually help by giving users plausible
deniability, but that would just end with browser developers being pressured
into disabling the feature.

------
SG-
I think the sensible solution (and this goes for anything where there's
security or privacy concern like WebGL) is to block it by default however to
prompt the user that the website wants to use WebRTC.

The user can then choose to allow it for one time or to whitelist or blacklist
the site.

~~~
the8472
> and this goes for anything where there's security or privacy concern

It would force web developers to think much harder about feature detection and
being non-intrusive about their usage. If someone gets nagged to enable webrtc
just to read some news article it might actually cause some head scratching.

cross domain cookies, local storage, video/audio playback (at least in
background tabs), ...

You could even make an argument for cross-domain javascript.

Sometimes it's insane what crap shows up in µMatrix. More requests going to
3rd party sites than the actual content that I want to look at.

------
lgrapenthin
Could somebody please explain whether it is a technical requirement to leak
the internal IP address for this technology to succeed or, if not, what
possible reasons could exist for this design decision?

~~~
omarforgotpwd
It is a technical requirement, because the protocol attempts to connect over
the local network if both peers are under the same NAT. The local IP is shared
so that the peers can attempt to make a local connection.

~~~
lgrapenthin
I'd assume that this is a rather rare usecase in the world wide web, so why is
it not disabled by default?

~~~
jnbiche
No, it's not rare. This is something _all_ peer-to-peer networks running over
IPv4 must do. WebRTC video, audio, or data wouldn't work without this.

~~~
MichaelGG
Things worked fine before ICE. In fact, stuff like Bittorrent still works
fine. If they were truly concerned with connectivity, they'd use upnp. But
since that wasn't a standard from a friendly body, they added this ICE hack to
try to make things work.

~~~
comex
As someone who's implemented a P2P feature for an application: UPnP works
great... if you have a router that supports it. Many in the wild do not. If
yours doesn't, you have to manually port forward, which, even disregarding the
newbie user issue, isn't possible if you're connected to someone else's
network. Otherwise, as I assume you know, you can only initiate connections,
not receive them, which means you can't talk to anyone with the same
limitation - which might not be fatal to your BitTorrent download, albeit
limiting your speed, but kinda sucks in something like a one-on-one video chat
or game session.

AFAIK, all major video chat applications use some variant of STUN, on which
ICE is based, along with some proxying mechanism for users who truly can't
connect directly to each other, which corresponds to the rest of ICE.

------
userbinator
Does anyone else feel that there's something terribly odd going on when
_restricting_ something needs to be an _extension_?

IMHO it should be a configuration option, per-site, and off by default. WebRTC
also isn't the only thing that applies to.

~~~
drzaiusapelord
The recent moves to turn the browser into its own OS are worrying. The problem
I see is that no one seems to care. Its full steam ahead and its only later do
we realize that these new feature and standards are trivial to abuse. I really
wish there was some kind of web mission statement on where browsers are going
instead of this kitchen sink approach.

I have no idea what the W3C is thinking. I don't think even the W3C knows what
its thinking. Its just being reactionary; trying to turn HTML5 into a "flash
killer" and shoving feature after feature into the spec. I don't want to piss
on progress, but I think privacy and security concerns get a backseat with W3C
members, especially Google, whose very existence is dependent on finding
information about users to sell to advertisers. Soon we'll need sandboxing and
privacy apps to wrap our browsers in. I really hope Mozilla leads the way to
pushing back on this recent mad push of thoughtless progress. A more moderate
approach would be very much welcome and having more "off by default" options
for easily abused features like P2P in the browser, which is what webrtc
really is, makes sense.

Right now I had no idea what my browser is capable of. Can it silently turn on
my camera and microphone? Probably. Can it make all sorts of crazy p2p
connections to various servers/clients silently? Probably. Its all a little
scary.

~~~
csense
> no one seems to care

Article about browser feature creep, currently on frontpage:
[https://news.ycombinator.com/item?id=9961613](https://news.ycombinator.com/item?id=9961613)

People do care about this stuff. Maybe not enough people, and maybe not the
right people to do anything about it. But there are people right here on HN
who do care about this stuff.

~~~
drzaiusapelord
I was pleasantly surprised to see that article on the front page. It wasn't up
when I posted my comment. I do hope this becomes a major issue.

------
therealmarv
Chrome users, look here: [https://chrome.google.com/webstore/detail/webrtc-
block/nphkk...](https://chrome.google.com/webstore/detail/webrtc-
block/nphkkbaidamjmhfanlpblblcadhfbkdm) or
[https://chrome.google.com/webstore/detail/webrtc-leak-
preven...](https://chrome.google.com/webstore/detail/webrtc-leak-
prevent/eiadekoaikejlgdbkbdfeijglgfdalml)

~~~
Semaphor
For Chrome, UBlock Origin also has the option to prevent WebRTC IP Leaks:
[https://chrome.google.com/webstore/detail/ublock-
origin/cjpa...](https://chrome.google.com/webstore/detail/ublock-
origin/cjpalhdlnbpafiamejdnhcphjbkeiagm)

~~~
therealmarv
How cool, thanks. Have not seen that before!

~~~
Semaphor
This and uMatrix
([https://github.com/gorhill/uMatrix/wiki](https://github.com/gorhill/uMatrix/wiki))
both forked from HTTP Switchboard.

uBlock is an adblocker, uMatrix has finely grained matrix controls for which
http requests are even allowed to go through and requires tuning for most
sites. I like having both :)

------
Grue3
What the fuck, this leaked your real IP behind VPN since January 2014 and this
isn't fixed yet? This sure looks like a Heartbleed-tier high-priority security
hole to me. How is this not bigger news?

~~~
billyhoffman
Leaking a client IP address is not even near the same universe of severity as
remotely obtaining a web servers private TLS key. Given the lack of perfect
forward secrecy used by web servers at the time, Heartbleed was a "read any
encrypted traffic sent by the server, ever" issue.

~~~
diafygi
WebRTC doesn't just leak the client IP address, it also leaks the public IP
address of all network interfaces on the machine. If you're on a VPN, it can
mean you leak your real IP address, too. Many Chinese use VPNs to circumvent
censorship or participate in speech, so leaking your real IP address is
potentially life threatening.

~~~
billyhoffman
Yes, and Java can leak your real IP address and Flash can leak your real IP
address.

If you attack scenario is trying to circumvent authoritative governments,
don't use a web browser with extra features or plugins like WebRTC turned on.

"Hiding a users 's true IP at all costs who are using a VPN" is not a
reasonable design expectation for mainstream browsers. They are fixing bugs
and adding features. This is an extreme edge case at best for them.

~~~
diafygi
You listed two things that are optional plugins and are being aggressively
deprecated.

The vast majority of Chinese users who use VPNs aren't technologically savvy
and just want to read the NYTimes or watch Netflix. Now any embedded ad or
tracker can rat them out[1]. We shouldn't ask them to jump through 15 hoops or
deal with the the slowness of Tor. A VPN offers a very good compromise of ease
vs. security for casual users.

[1]: [https://webrtchacks.com/dear-ny-times/](https://webrtchacks.com/dear-ny-
times/)

------
j-pb
In other news, Mozilla is considering the restriction of IPv6, because it
leaks the internal IP.

(VPN leakage is a valid concern though)

~~~
kuschku
VPN leakage, like the NYT did, is definitely a concern that can’t be
dismissed.

------
newscracker
I hope Mozilla takes a quick decision on this based on its own principles.
This sentence saying "we are considering adding an extension" seems to be in
stark contrast with the way Pocket was added into the main browser instead of
being an ad or recommendation on the new tab page.

------
higherpurpose
Why can't they just disable WebRTC by default and ask the user for permission
like they do with location and so on, without revealing the IP _before_ the
user accepts the connection? Also, maybe the user could easily whitelist some
connections/WebRTC IDs?

~~~
jon-wood
I'm not sure asking permission really helps. With things like location and
video end users at least know what it means, and can make a somewhat educated
choice. How do you properly ask an uneducated user the question "Should this
site be allowed to open an arbitrary data connection?" \- sites that want to
will think of some vaguely plausible reason and users will click away.

------
arca_vorago
I submitted this a few weeks ago and it got removed from the front page, but I
think it's relevant for anyone interested.

[https://news.ycombinator.com/item?id=9900168](https://news.ycombinator.com/item?id=9900168)

------
pornel
How about not disabling it, but merely making use of it visible? (e.g. an icon
or a notice in the addressbar)

It would discourage reputable sites from abusing it, because users would start
asking questions why a news site wants a p2p/videoconference connection.

~~~
hyperpape
Because if you really need to be anonymous, it's not good enough to catch it
being used after the fact.

Notifying the user after the fact sometimes works for things that are
nuisances, but isn't good for privacy/security (imagine if your browser would
execute unsandboxed JS and show you an icon each time it did it).

~~~
sp332
It wouldn't have to be after the fact. Firefox already has a little pop-up
when sites want to get your location. The options are yes/no/never for this
site.

~~~
hyperpape
Definitely, though that's not the suggestion I was responding to.

------
azdle
Is there another problem besides leaking your IP address(es)? It sure sounds
like that could pretty easily be solved by just sending hashes of the IP
addresses along with the salt used to make the hashes. Then the receiver could
compare it's own hash and know if it's on the same network.

I suppose there might be a problem with IPv4 since there are so few IP
addresses, so you'd still be vulnerable to targeted attacks, but it would
solve the ad network problem.

Am I missing something or just underestimating the usefulness of hashing?

------
realusername
I don't really understand how it can leak the real IP address when using VPN.
Since everything is going to the VPN anyway, how this would work ?

~~~
HappyTypist
Your network interface still has information about your regular internet
connection, even when connected through a VPN. Local apps can query this
information. Webrtc clients do this in order to assist setting up direct
connections -- it doesn't know you're using a VPN, and will happily hand over
info about your network interface to any site.

------
erkose
If Mozilla is really concerned with leaking user information, then the
extension should extend the use of WebRTC with a default to restrict the use
of WebRTC

------
dont_care
Wow, big deal. An _extension_. Oh noes.

Plug-ins and extensions are, like, mostly non-existent entities, when released
under circumstances without any actual demand for them. (compare/contrast:
Java to AdBlock)

    
    
      > But-but-but evil corporate overlords! 
    

So what? They can do whatever they want on their core networks, so long as it
doesn't bleed outside their edge.

------
ilaksh
If they restrict WebRTC then they restrict decentralization and that would
move Mozilla out of the Freedom column and into the Fascism column with
Microsoft.

~~~
skrebbel
Do you know what "Fascism" means?

------
anfedorov
The external IP is leaked, too! Clearly this peer to peer encrypted video
protocol needs to be restricted, for the good of privacy and security, of
course.

Sarcasm aside, what good can 192.168.1.4 possibly be to anyone?

~~~
pjc50
It makes it somewhat easier to XSS into your router.

(P2P encrypted video? Great. P2P systems in the browser driven by Javascript
from any web page or ad network? Less great idea there.)

~~~
jnbiche
Can you expand on this, please? How does it make it easier to XSS?

~~~
chadrs
Well, I'm not sure about XSS, but imagine you know someone's home IP is:

192.168.1.10

Based on this, you can probably guess the router is 192.168.1.1 and maybe even
have a clue about the vendor based on the IP assigning patterns.

Then you can direct them to a page with an submitting POST <form> that makes
modifications to their router settings. This is more like CSRF than XSS
though.

~~~
malka
funny, of all the routers I used (all were provided by my ISP), their IP were
192.168.1.254

