[guardian-dev] WebRTC

Michael Rogers michael at briarproject.org
Wed Aug 7 09:53:42 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/08/13 13:27, Timur Mehrvarz wrote:
> I can now demonstrate how WebRTC traffic can be 
> redirected/relayed/forwarded (not using ICE/TURN) so it becomes 
> impossible for clients to discover each others IP addresses etc.,
> while still using WebRTC end-to-end encryption. 
> http://mehrvarz.github.io/rtcchat2/#relayed

"Starting a session, both browsers will send their SDP (Session
Description Protocol) "offers" and "answers" over HTTPS to the rtc
chat rendezvous service. To establish a relayed WebRTC communication
link, the rendezvous service will modify the SDP data on the fly."

It worries me that the clients don't detect this modification! Isn't
there any end-to-end integrity checking in SDP?

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSAlFmAAoJEBEET9GfxSfMuZoH/07ce++2lfPftodoLjq8GOod
J6AY2MUIfbBCoXtWuWmMM1rF3XFFiPne09Q8fJbjlMOrSC8oftjFGo0XWsbX7LbO
I6tXcivgayWg5KH4zx62Gm1ue2rHKGIlXf5VwJ4Xei41R6O2pXskngfAeZmlvESg
i3uAAzydEJkcl8tSY+u5Pwqj/nmcJVZ1/vi6+e/TWBOtwXaAduN+gEOI0qTsE+3n
610+oIGs+Gw60oexbKC4s3gk1M068SuDEE0EareLAS0I+mjZqTHql3HELKIoCBy3
voN3IiyVU5rgJHoUml3zQgDfkpWKu4HDtjoBorV9aa6SEfqkGHOz2GSBphgYgPs=
=5soK
-----END PGP SIGNATURE-----


More information about the Guardian-dev mailing list