There seems to be a lot of interest in WebRTC Tor safety lately on this list. The simple https://diafygi.github.io/webrtc-ips/ PoC does not work against Tor Browser for two reasons: 1. We don't compile in WebRTC at all. 2. We set the pref 'media.peerconnection.enabled' to false. We would like to change property #1 so that it is easier to support QRCode-encoded bridge entry and bridge sharing in Tor Launcher (https://trac.torproject.org/projects/tor/ticket/14837). In my testing, and according to Mozilla security engineers, it should be safe for us to compile WebRTC in and set media.peerconnection.enabled to false, but there may be other vectors to this code that we've all missed to date. Hence, this is a request to interested parties to try harder to bypass Tor in a stock Firefox using WebRTC and associated protocols (RTSP, SCTP) with media.peerconnection.enabled set to false. Again, the existing PoC fails in this case for me, but we need more in-depth tests. For more info, see: https://trac.torproject.org/projects/tor/ticket/14836 and https://gitweb.torproject.org/tor-browser-spec.git/tree/audits/FF31_NETWORK_AUDIT -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk