[whatwg] PeerConnection: encryption feedback
Glenn Maynard
glenn at zewt.org
Wed Mar 23 16:06:16 PDT 2011
On Wed, Mar 23, 2011 at 6:25 PM, Harald Alvestrand <harald at alvestrand.no>wrote:
> The STUN server is used to obtain your own "public" IP address, for
> constructing candidate lists.
> The STUN server is not involved in the ICE handshake.
>
The STUN server is not. I believe the STUN *protocol* (packet format),
however, is. See RFC5245 section 2.2 "Connectivity Checks".
On Wed, Mar 23, 2011 at 6:43 PM, Ian Hickson <ian at hixie.ch> wrote:
> directly. The concern is presumably about whether the TURN server, the
> remote peer, and the page origin can collude to cause the browser to
> attack the victim directly.
>From a *cursory* (an hour or so) examination of the ICE and STUN protocols,
it appears that even if the web server, STUN/TURN server(s) and a remote
peer are hostile, it should not be possible to convince a user's browser
(via its ICE agent) to send packets to an arbitrary IP and port. It should
only be possible to send packets to an IP which has handshaked a port via
ICE. Obviously, this needs to be confirmed by an expert in these protocols.
*If* that's accurate, does that remove the masking requirement? 16 bytes
per packet is significant overhead to pay if it's not needed.
--
Glenn Maynard
More information about the whatwg
mailing list