1189030 - Add an about:config pref to disable non-relay ICE candidates

Status: VERIFIED FIXED

(Core :: WebRTC: Networking, defect, P1)

Description

[Randell Jesup [:jesup] (needinfo me)]

This will allow locking a browser down to relay candidates, stopping it from exposing LAN and external IP addresses.  Note that the TURN server will see your external IP address, so this alone is not protection against a site trying to determine who/where you are without other mechanisms as well.

This does help protect against one class of privacy failure, the "protection order" case, where someone is trying to obscure their physical (or even just network) address from other users of a service.  Without this, calling someone could expose your external address to the other party, who then may be able to geolocate you.

It also may be used in conjunction with other mechanisms to obscure location from a service.

Comment 1

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

A thought: If we do Bug 1187775 first then we could probably do this all in PeerConnection.js

Comment 2

[Byron Campen [:bwc]]

We probably have to do this deeper down. If we gather host or srflx, we'll use them for STUN checks otherwise, which is probably not optimal.

Comment 3

[Byron Campen [:bwc]]

Also, if we really want to prevent srflx from getting out (this information is already available to any web page...), those will be revealed by the STUN checks we send.

Comment 4

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Of course, I just meant we could check the pref (e.g. "media.peerconnection.ice.relay_only") in PeerConnection.js and override RTCConfiguration.iceTransportPolicy there to "relay" if the pref is set.

AFAICT the pref and iceTransportPolicy = "relay" are identical, right?

http://w3c.github.io/webrtc-pc/#idl-def-RTCIceTransportPolicy.relay says:

"relay - The ICE engine MUST only use media relay candidates such as candidates passing through a TURN server. This can be used to reduce leakage of IP addresses in certain use cases."

Comment 5

[Byron Campen [:bwc]]

Oh, I see. That would work.

Comment 6

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Attachment: MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

Comment 7

[Randell Jesup [:jesup] (needinfo me)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

https://reviewboard.mozilla.org/r/14431/#review13077

::: dom/media/PeerConnection.js:326
(Diff revision 1)
> +    // TODO: Update this code once we support pc.setConfiguration, to track

Add bug number

Comment 8

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

Comment 9

[Randell Jesup [:jesup] (needinfo me)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

https://reviewboard.mozilla.org/r/14431/#review13137

Ship It!

Comment 10

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

Comment 11

[Randell Jesup [:jesup] (needinfo me)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

https://reviewboard.mozilla.org/r/14431/#review13379

Ship It!

Comment 12

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/bdb808a2dd66

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/bdb808a2dd66

Comment 14

[Maire Reavy [:mreavy]]

[Tracking Requested - why for this release]:
Plan is to uplift this into 41 to support an extension that can mitigate these issues ASAP (see mail to drivers)

Comment 15

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Tracked as this work is planned to ship in FF41.

Comment 16

[Randell Jesup [:jesup] (needinfo me)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

Approval Request Comment
[Feature/regressing bug #]: N/A

[User impact if declined]: inability to force relay use (important for hiding your public IP address from caller/callee; the protection-order use-case).

[Describe test coverage new/current, TreeHerder]: manual testing (likely will be used for TURN mochitests as well)

[Risks and why]: extremely low risk; should be basically none when the pref isn't set.

[String/UUID change made/needed]: none

Comment 17

[Randell Jesup [:jesup] (needinfo me)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

removing aurora request; landed in 42 before uplift

Comment 18

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8641084 [details]
MozReview Request: Bug 1189030 - Add pref "media.peerconnection.ice.relay_only" (default=false)

This patch seems safe as it's just adding a pref setting and has baked in Nightly for over 2 weeks. Beta+

Comment 19

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Requesting QE team to test these "IP address leak" issue related bugs if possible.

Comment 20

[Justin Wood (:Callek)]

(In reply to Ritu Kothari (:ritu) from comment #18)
> Comment on attachment 8641084 [details]
> MozReview Request: Bug 1189030 - Add pref
> "media.peerconnection.ice.relay_only" (default=false)
> 
> This patch seems safe as it's just adding a pref setting and has baked in
> Nightly for over 2 weeks. Beta+

Pushed to beta with some prefs file fuzz. Also misattributed (sorry)

https://hg.mozilla.org/releases/mozilla-beta/rev/b14997797205

Comment 21

[[SV Manager] Florin Mezei, QA (:FlorinMezei)]

(In reply to Ritu Kothari (:ritu) from comment #19)
> Requesting QE team to test these "IP address leak" issue related bugs if
> possible.

Could we get some clearer testing details here... what issues are we talking about and how can we reproduce and verify them?

Comment 22

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Um, this'll do bupkis on beta without Bug 1187775, which it depends on.

Should we request uplift on that bug as well? If not, we should probably back this out of beta to not confuse people, since this makes a new pref visible in about:config that wont do anything without that other bug.

Comment 23

[Randell Jesup [:jesup] (needinfo me)]

Maire and I talked, and given the size of the patch for bug 1187775 (though it's not an overly-complex patch, it's fairly large), we should back this out of beta.

Comment 24

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

(In reply to Florin Mezei, QA (:FlorinMezei) from comment #21)
> (In reply to Ritu Kothari (:ritu) from comment #19)
> > Requesting QE team to test these "IP address leak" issue related bugs if
> > possible.
> 
> Could we get some clearer testing details here... what issues are we talking
> about and how can we reproduce and verify them?

meta: https://bugzilla.mozilla.org/showdependencytree.cgi?id=1189167&hide_resolved=0

Broadly, the problem is leaking IP addresses to sites like https://ipleak.net

But there are lots of different network configurations to consider, like VPNs. Limitations are typically built as about:config prefs or hooks that add-ons can flip.

This particular bug adds a pref to restrictively limit all WebRTC traffic to routes through TURN servers (which content must provide) and nothing else, which avoids producing and revealing any host IP or server-reflexive IP candidates (addresses) at all to content. http://jsfiddle.net/ha4zpa2g

Comment 25

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

The task for each feature is to allow for situations where WebRTC can (be configured to) work (somewhat) without leaking IP addresses (Today, the only option for users who are concerned about IP leakage, is to turn WebRTC off).

So there are two things to test: that IP is not leaked, and that something works at the same time that wouldn't work if you turned WebRTC off.

Comment 26

[Vasilica Tamas, QA [:vtamas]]

Confirm that media.peerconnection.ice.relay_only pref is set to false by default in Firefox 43.0a1 (2015-08-25), Firefox 42.0a2 (2015-08-25) and Firefox 41 Beta 4 under Windows 7 64-bit, Ubuntu 14.04 32-bit and Mac OS X 10.9.5.

I have noticed an issue: the WebRTC IP is successfully detected on Firefox 41 Beta 4 (20150824144923) even with media.peerconnection.ice.relay_only set to true. Tested using https://ipleak.net/ across all platforms.
This issue does not reproduce on latest Nightly and latest Dev Edition.

Any thoughts about this?

Comment 27

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

See comment 22 and comment 23

Comment 28

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Justin, we should back this out of beta per comment 23 so the pref is not visible (comment 26).

Comment 29

[Justin Wood (:Callek)]

(In reply to Jan-Ivar Bruaroey [:jib] from comment #28)
> Justin, we should back this out of beta per comment 23 so the pref is not
> visible (comment 26).

I did the landing per request from :ritu when others were unavailable. Ryan can you achieve this during your next beta round please?

Comment 30

[Ryan VanderMeulen [:RyanVM]]

On it.

Comment 31

[Vasilica Tamas, QA [:vtamas]]

Based on Comment 26 and Comment 28, I am marking this bug as Verified Fixed.

Comment 32

[Randell Jesup [:jesup] (needinfo me)]

Yeah, I had planned to back it out of beta on my own.  Thanks Ryan

Comment 33

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/1de33831c9c7