[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #14836 [Tor Browser]: Can we compile in WebRTC to allow QRCode bridge entry?
#14836: Can we compile in WebRTC to allow QRCode bridge entry?
-----------------------------+----------------------
Reporter: mikeperry | Owner: tbb-team
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: ff38-esr
Actual Points: | Parent ID:
Points: |
-----------------------------+----------------------
Changes (by mikeperry):
* keywords: ff38-esr, tbb-usability-stoppoint-wizard => ff38-esr
Old description:
> We should evaluate if we can re-enable the compilation of WebRTC in Tor
> Browser. There are two reasons for this:
>
> 1. Mozilla may remove the WebRTC compile time switch of WebRTC in future
> builds.
> 2. Enabling WebRTC at compile time may enable Tor Launcher to make use of
> the WebCam for scanning QRCodes of bridges.
>
> Mozilla's security team claims that setting media.peerconnection.enabled
> to false will completely disable content access to all WebRTC APIs, which
> should be sufficient for us. However, my review of the FF31 source showed
> that several other things get compiled in to the browser that may or may
> not be directly tied to the peerconnection APIs. For example RTSP and
> SCTP protocol support gets compiled in, and there may be other ways to
> use these protocols elsewhere in the browser. See:
> https://gitweb.torproject.org/tor-browser-
> spec.git/tree/audits/FF31_NETWORK_AUDIT
>
> FWIW, simple PoC's such as https://diafygi.github.io/webrtc-ips/ fail if
> media.peerconnection.enabled is unset, but again, more investigation is
> needed.
New description:
We should evaluate if we can re-enable the compilation of WebRTC in Tor
Browser. There are two reasons for this:
1. Mozilla may remove the WebRTC compile time switch of WebRTC in future
builds.
2. Enabling WebRTC at compile time may enable Tor Launcher to make use of
the WebCam for scanning QRCodes of bridges (see #14837).
Mozilla's security team claims that setting media.peerconnection.enabled
to false will completely disable content access to all WebRTC APIs, which
should be sufficient for us. However, my review of the FF31 source showed
that several other things get compiled in to the browser that may or may
not be directly tied to the peerconnection APIs. For example RTSP and SCTP
protocol support gets compiled in, and there may be other ways to use
these protocols elsewhere in the browser. See:
https://gitweb.torproject.org/tor-browser-
spec.git/tree/audits/FF31_NETWORK_AUDIT
FWIW, simple PoC's such as https://diafygi.github.io/webrtc-ips/ fail if
media.peerconnection.enabled is unset, but again, more investigation is
needed.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14836#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs