
Let's Reverse Engineer Discord - Pneumaticat
https://medium.com/tenable-techblog/lets-reverse-engineer-discord-1976773f4626
======
gfodor
This is common and necessary for WebRTC SFUs, which perhaps is why Discord
does it to support the least common denominator of their web browser based
clients.

Edit: Yep, I thought I remembered reading this. Their voice servers are WebRTC
SFUs. So this is basically state-of-the-art when it comes to voice over
WebRTC. End to end encryption in WebRTC is not possible if you are using a
SFU. [https://blog.discordapp.com/how-discord-handles-two-and-
half...](https://blog.discordapp.com/how-discord-handles-two-and-half-million-
concurrent-voice-users-using-webrtc-ce01c3187429)

~~~
gzer0
End to end encryption in WebRTC is indeed possible even if you are using an
SFU, this is achieved via Privacy Enhanced RTP Conferencing (PERC).

[1]. [https://www.callstats.io/blog/2018/06/01/examining-srtp-
doub...](https://www.callstats.io/blog/2018/06/01/examining-srtp-double-
encryption-procedures-for-selective-forwarding-perc)

~~~
gfodor
No, it’s not, because PERC is a proposal and is not implemented in any
browsers.

~~~
gzer0
That does not mean it isn't possible; the implementation simply has not
occurred.

~~~
gfodor
That’s a pretty unique definition of “possible!”

You can just admit you googled it and didn’t realize it was not something you
can do today in browsers, it’s ok :)

~~~
ianlevesque
You must be new here ;)

------
coenhyde
I don't think Discord makes any claims that the audio is P2P encrypted. There
are legitimate reasons why Discord might be dropping malformed packets, apart
from an indication that they are spying on you (they may be doing that too).

1) to improve audio quality.

2) to help prevent RCE attacks on the destination client.

3) re-encoding at lower bitrates for low bandwidth clients.

I don't really see the issue here unless Discord claimed they do not decrypt
the audio.

~~~
franga2000
3) is most certainly at play here, as Discord allows clients to set their
preferred bitrate (RX&TX), which would not be possible in multi-party calls
without re-encoding.

~~~
FractalParadigm
Could they not just drop the quality of the _whole call_ down to the lowest
bandwidth allowed by a user? I feel that would reduce a computational burden
on Discord's end, while allowing the lowest client-to-client latency

~~~
duskwuff
Keep in mind that a major use case for Discord is open voice chats (e.g, for
gaming groups), not just organized person-to-person calls. Having the quality
for a whole chat drop just because someone joined from a mobile phone would be
a really disappointing user experience.

~~~
ollien
This is absolutely something that Discord does, though. I've had friends just
drop the bitrate slider as low as possible in Discord just to make the whole
channel sound awful

~~~
caffeinewriter
That's a channel-specific option though. You can set per-channel bitrate, but
it's not something Discord does automatically to accommodate lower throughput
clients.

------
orliesaurus
The problem is... There still isn't a clear business model for discord, the
advantages of having premium (nitro) are almost non-existing. That's not an
excuse for privacy, I know...

They tried to create a small competitor to Steam's game marketplace but it
didn't work out. They're back to the drawing table. Honestly, that's actually
really good for free users, like myself, because we can simply use discord's
wide array of functionalities for free: Seamless audio and video sharing, wide
extensibility of the platform through APIs and bots, simple file-sharing, chat
persistency, mobile clients + web client, ability to pick server location,
codecs, moderation tools...and the best feature in my opinion...their amazing
changelogs popups.

Honestly security wise it might not be very clear, as per this article, where
they stand today, I am still super stoked about every other aspect.

~~~
dyeje
Discord trying to take on Epic and Steam to create a marketplace was perhaps
the worst move I've seen in the past few years. Steam is entrenched and Epic
is printing money.

Discord needs to capitalize on its greatest asset: a massive community. To me,
the obvious path forward is doing Patreon like features for servers and
perhaps trying to break into the streaming market.

~~~
krige
When Discord was making that move, Epic store did not exist, the period when
both stores existed was rather short and unevnentful, discord's being on clear
decline, epic's not even bare bones and tossing money on any and all early
access games in sight.

~~~
lowdose
Why isn't Epic buying Discord?

~~~
AQuantized
What would that get them? It's already clear that Discord's community doesn't
translate into success for an associated game distribution platform.

------
Teknoman117
I'm fairly certain that this is the default behavior of WebRTC SFUs? (all that
I've seen at least) (SFU = Selective Forwarding Unit)

Unless Discord claimed they were P2P encrypted this shouldn't be a witch hunt.
It's the default behavior for most WebRTC systems.

The clients establish (encrypted) connections to the SFU(s). The SFU then
reads incoming data and forwards it to whichever other clients are supposed to
be receiving it. However, they maintain state per client and possibly do
things like transcoding audio and video if the receiving client can't handle
the source quality.

------
bgitarts
Just because invalid encrypted data is being dropped doesn't automatically
mean the server is decrypting the data. It's possible to verify an encrypted
message is valid without seeing it's content.

~~~
Mandatum
It's not possible to validate a message without decrypting it. You can verify
a signed message, if that's what you mean?

This proves parsing or filtering is happening on Discord's end to the
decrypted message.

------
mmastrac
Yikes

> We tested this malformed audio packet dispatch at various points during a
> voice call and consistently watched all malformed audio packets dropped by
> the server, which means that Discord servers are actively decrypting and
> inspecting all audio/video communications in real-time and not just some.

~~~
senectus1
fuck.

Is it really too much to ask for/expect a modicum of decency with these
services?

~~~
nightfly
When you are paying $0.00 for the service? And in this case they are dropping
malformed data, which could easily protect their users from malware that
exploits weaknesses in the media codecs.

~~~
znfi
I find this notion that you should be absolved of all responsibilities just
because you give it away for free to be completely wrong. They should still be
transparent about what they are doing.

This notion also does not translate very well to things which are not related
to IT. I use a very large number of things in my daily life which I am not
paying for but I still expect them to work and be safe. Or would be it be fine
if I take an elevator and it falls down and kills me? Or whoops, I got a free
candy which turned out to contain toxins. I guess I didn't pay for the service
so why do I have some expectations for it to work or be safe?

~~~
ip26
If we're going to wander off into metaphor, this seems more analogous to a
doorman refusing to allow you to bring your 800lb gorilla (sneakily dressed as
your child) onto the elevator.

~~~
znfi
I guess I could have been more clear. I was not primarily discussing this
particular case of what Discord is doing. Instead of I was against the notion
that I cannot have any expectations because something is free.

If you want to argue that Discords measure in this case are fair then I'm fine
with that, but just something like "STFU the service is free" is not enough
when it comes to these companies with massive impact on society, IMO at least.

Edit: After thinking about this a bit more, I guess the point is that if they
are just dropping (potentially) malicious data, or in your case not letting a
gorilla through the door. This does not have anything to do with the service
being free as far as I can see, they can be argued for independently.

Instead I see people defending questionable behavior by pointing out that the
service is free. And the point I tried to make originally was that I would
like to at least be informed about the questionable behavior, so I have a
chance to take this extra "cost" into account when I select a product.

~~~
kiba
I don't think people are defending the service just because it's free.

We simply cannot expect something to be had for free without making money to
support the service. Unfortunately, one way to monentize the service is to
sell user data.

------
Animats
Discord privacy policy:

 _In an ongoing effort to better understand and serve the users of the
Services, we may conduct research on our customer demographics, interests and
behavior based on the information collected. This research may be compiled and
analyzed on an aggregate basis, and we may share this aggregate data with our
affiliates, agents and business partners. We may also disclose aggregated user
statistics in order to describe our services to current and prospective
business partners, and to other third parties for other lawful purposes._

For example, they could do sentiment analysis on corporate chat, track it over
time, and see which companies show patterns indicating trouble. Then they
could short the stock, buy put options, or suggest to their "current and
prospective business partners" that low-ball acquisition offer would be
appropriate.

~~~
mapcars
Is discord known to be used in corporate sector? I think so far it's dominated
by Slack and Discord is mostly used by games/communities.

~~~
duskwuff
I'm sure there are _some_ businesses using Discord, but they aren't the target
audience. The branding and feature set of Discord all make it very clear that
it's targeted at PC gamers.

~~~
uncle_j
There are a lot of smaller open source projects that are using Discord instead
of IRC. I am a member of Reshade, C# OpenTK and general programming servers.

~~~
rawfan
I actually know many opensource projects that moved from the clunkyness of
Slack to Discord.

In all fairness, though, the recent releases of Slack made it pretty snappy.

~~~
munmaek
My 70 kb/s connection disagrees. I was barely able to get slack to load, when
it did load.

~~~
uncle_j
I work in an office with poor reception and it is quite annoying that these
apps don't really work unless you are on 3G or better.

------
Arathorn
fwiw, the approach we're looking at in Matrix is to have E2E-encrypted SFUs,
as per [https://github.com/matrix-org/matrix-
doc/blob/matthew/msc235...](https://github.com/matrix-org/matrix-
doc/blob/matthew/msc2359/proposals/2359-e2ee-voip-conferencing.md)

~~~
ryukafalz
This is exciting! I like Jitsi in general, but I would much prefer native
conferencing.

Do you know if there are plans to support Discord-style persistent voice
rooms?

------
jokoon
Wasn't skype originally P2P? I wish there was a simple windows voip client
that was doing p2p voip.

I often experience cuts with skype and discord, I think their servers can have
a hard time handling low latency properly.

~~~
csunbird
It was and because of that a lot of people were hacked, since skype could be
used to run remote code by leveraging a couple of bugs existed in skype
application.

That is one of two reasons why Microsoft switched to server-client model
instead of p2p connection.

Other being having control of the service and with call and message history
makes more money of course.

~~~
superkuh
That is an interesting perception of history. What it looked like legally was
p2p was working great and skype was massively rising in popularity. But the US
federal government could not stand encrypted peer to peer communications. So
they told their good friends over at eBay to buy the company. eBay messed it
up and only bought the license for the name and not the actual code and p2p
backend. Things continued working well for a while. But the feds still weren't
happy. So they had their other friends at Microsoft actually purchase the
technology and then immediately destroy it and switch to a centralized model.

You can read the story at: [https://arstechnica.com/information-
technology/2018/09/skype...](https://arstechnica.com/information-
technology/2018/09/skypes-secrets/4/)

>For the second time, Zennström and Friis cashed in on selling Skype. That's
because, instead of giving eBay the critical base technology that kept Skype
going (the P2P system known as "Global Index"), Zennström's and Friis's
company Joltid still owned it—they simply licensed it to Skype. The whole
situation devolved into threats of litigation until a 2009 settlement gave
Zennström and Friis a chunk of Skype ownership, which made them even more
money when Microsoft bought the company.

------
867-5309
they pretty much claim ownership for anything and everything you submit to
them. they need it in some useable format, which "encrypted" is not. what they
use their data for is not our concern, since we no longer own it

from their ToS:

"Any data, text, graphics, photographs and their selection and arrangement,
and any other materials uploaded to the Service by you is “Your Content.”"

"By uploading, distributing, transmitting or otherwise using Your Content with
the Service, you grant to us a perpetual, nonexclusive, transferable, royalty-
free, sublicensable, and worldwide license to use, host, reproduce, modify,
adapt, publish, translate, create derivative works from, distribute, perform,
and display Your Content in connection with operating and providing the
Service"

------
atesti
The article links to
[https://github.com/tenable/DiscordClient](https://github.com/tenable/DiscordClient)
but this has been deleted. Does someone have a mirror?

~~~
ihuman
I'm confused. The link in your comment leads to a live repo.

~~~
atesti
It's working for me, too. When I wrote my comment, there was just a 404. Maybe
it was restored?

------
thrower123
I keep reading this title, and thinking that it's going to propose a final
solution to the vim vs emacs debate, or tabs vs spaces, or one of the other
fonts of engineer discord.

