[jitsi-dev] [Pkg-javascript-devel] Bug#736077: dont leak private network information (at least not by default)


#1

I actually did some experiments with this (using a PyRoute script in
the SIP proxy to strip some ICE candidates from the SDP message body)

I found that sometimes the other end of the connection wasn't happy
with the SDP. Maybe there is something embedded in the STUN ICE check
messages and the peer knows that the SDP has been modified. I would
need to look more closely at the spec to find out.

I'm CCing the Jitsi dev list, they develop the ice4j ICE library for
Java and may be able to comment on this. It may also be useful for
Jitsi, Empathy and other softphones to offer a similar feature and if
it is practical, please raise the same bug against those packages.

···

On 19/01/14 15:22, Holger Levsen wrote:

package: libjs-jssip tags: security

Hi Daniel,

thanks for working on usuable + secure RTC in the webbrowser!

During your presentation at the Paris mini-debconf I just learned
that your libjs-jssip leaks all networks to the sip server (or
calling party), which I consider a privacy violation (which has
been implemented to improve the user experience by allowing the
application to choose the best network connection).

Still, if I connect via route $X I expect this software not to leak
my other routes, which might contaín sensitive information.

In the talk you said it was trivial to comment out these lines, so
I'm asking you to do this by default and optionally allow it.