RTC@Scale 2024 – an event summary
RTC@Scale is Facebook’s virtual WebRTC event, covering current and future topics. Here’s the summary for RTC@Scale 2024 so you can pick and choose the relevant ones for you.
Read MoreWebRTC has been mentioned with regards to the New York Times. It isn't about an article covering it - or a new video chat service they now offer.
I was greeted this weekend by this interesting tweet:
I haven't been able to confirm it - didn't find the culprit code piece in the several minutes I searched for it, but it may well be genuine.
The New York Times may well be using WebRTC to (gasp) find your private IP address.
In the WebRTC Forum on Facebook, a short exchange took place between Cullen Jennings (Cisco) and Michael Jerris (FreeSWITCH):
Cullen: I've been watching this for months now - Google adds served on slash dot for example and many other sites do this. I don't think it is to exactly get the local ip. I agree they get that but I think there is more interesting things gathered as straight up fingerprinting.
Michael: local ip doesn't seem that useful for marketers except as a user fingerprinting tool. They already have your public ip, this helps them differentiate between people behind nat. it's a bit icky but not such a big deal. This issue blows up again when someone starts using it maliciously, which I'm sure will happen soon enough. I don't get why exactly we don't just prompt for this the same way we do camera and mic, it wouldn't be a huge deal to work that into the spec. That being said, I don't think it's actually as big of a deal as it has been made either
Cullen: It's not exactly clear to me exactly how one uses this maliciously. I can tell you most peoples IP address right now 192.168.0.1 and knowing that a large percentage of the world has that local IP does directly help you hack much. To me the key things is browsers need to not allow network connections to random stuff inside the firewall that is not prepared to talk to a browser. I think the browser vendors are very aware of this and doing the righ thting.
My local IP address is 10.0.0.1 which is also quite popular.
In recent months, we've seen a lot of FUD going on about WebRTC and the fact that it leaks local IP addresses. I've been struggling myself in trying to understand what the fuss is. It does seem bad, a web page knowing too much about me. But how is that hurting me in any way? I am not a security expert, so I can't really say, but I do believe the noise levels around this topic are higher than they should be.
When coming to analyze this, there are a couple of things to remember:
One thing is clear. WebRTC has a lot more uses than its original intended capability of simply connecting a call.
RTC@Scale is Facebook’s virtual WebRTC event, covering current and future topics. Here’s the summary for RTC@Scale 2024 so you can pick and choose the relevant ones for you.
Read MoreNeed WebRTC recording in your application? Check out the various requirements and architectural decisions you’ll have to make when implementing it.
Read More