[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #29205 [Obfuscation/Snowflake]: Look into using Firefox for the WebRTC implementation
#29205: Look into using Firefox for the WebRTC implementation
-----------------------------------+---------------------------
Reporter: cohosh | Owner: (none)
Type: task | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: Sponsor19
-----------------------------------+---------------------------
Comment (by cohosh):
Replying to [comment:5 arma]:
> I had thought the idea here was to drive an actual firefox to talk
webrtc to the snowflakes. That way Tor users would be talking webrtc just
like firefox, because it *would* be firefox. Rather than linking in a
library and trying to call it in the same ways that Firefox calls it (and
react to errors and network conditions etc in the same way that Firefox
reacts).
>
> And we picked Firefox because "we already have one" in tor browser
(though tor browser currently disables webrtc at compile time, but hey,
nobody said this would be easy).
>
> So, kind of like how meek launches a browser and drives it to do the
domain fronting connection.
This was the idea, I had a conversation with dcf over email about it. Some
key points brought up were:
- Using a headless browser is difficult and meek just moved to using uTLS
for this reason (#29077).
- What you mentioned with the currently disabled WebRTC:
"Omitting WebRTC is a safety measure to avoid IP address leaks; instead
of disabling WebRTC through a runtime configuration option, the Tor
Browser devs have decided not even to compile it."
- WebRTC fingerprintability isn't currently as much of an issue as, for
example, the Firefox TLS fingerprints. There are so many variations in
WebRTC implementations at the moment that fingerprinting is a long way out
So overall, I would say it's still something to consider, but we should
evaluate it along with other options such as #28942 and try to figure out
(esp. since headless Firefox is going away for meek) whether or not it
actually makes our live easier. My understanding is that the "makes our
lives easier" bit is more important at the moment than "stop all
conceivable future fingerprinting attemps" especially since possible
attempts are not well-defined at the moment.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29205#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs