[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Please help evaluate WebRTC for Tor Browser safety



There seems to be a lot of interest in WebRTC Tor safety lately on this
list. The simple https://diafygi.github.io/webrtc-ips/ PoC does not work
against Tor Browser for two reasons:

1. We don't compile in WebRTC at all.
2. We set the pref 'media.peerconnection.enabled' to false.

We would like to change property #1 so that it is easier to support
QRCode-encoded bridge entry and bridge sharing in Tor Launcher
(https://trac.torproject.org/projects/tor/ticket/14837). In my testing,
and according to Mozilla security engineers, it should be safe for us to
compile WebRTC in and set media.peerconnection.enabled to false, but
there may be other vectors to this code that we've all missed to date.

Hence, this is a request to interested parties to try harder to bypass
Tor in a stock Firefox using WebRTC and associated protocols (RTSP,
SCTP) with media.peerconnection.enabled set to false. Again, the
existing PoC fails in this case for me, but we need more in-depth tests.

For more info, see:
https://trac.torproject.org/projects/tor/ticket/14836 and
https://gitweb.torproject.org/tor-browser-spec.git/tree/audits/FF31_NETWORK_AUDIT

-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk