-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 19/01/14 15:22, Holger Levsen wrote: > package: libjs-jssip tags: security > > Hi Daniel, > > thanks for working on usuable + secure RTC in the webbrowser! > > During your presentation at the Paris mini-debconf I just learned > that your libjs-jssip leaks all networks to the sip server (or > calling party), which I consider a privacy violation (which has > been implemented to improve the user experience by allowing the > application to choose the best network connection). > > Still, if I connect via route $X I expect this software not to leak > my other routes, which might contaĆn sensitive information. > > In the talk you said it was trivial to comment out these lines, so > I'm asking you to do this by default and optionally allow it. > I actually did some experiments with this (using a PyRoute script in the SIP proxy to strip some ICE candidates from the SDP message body) I found that sometimes the other end of the connection wasn't happy with the SDP. Maybe there is something embedded in the STUN ICE check messages and the peer knows that the SDP has been modified. I would need to look more closely at the spec to find out. I'm CCing the Jitsi dev list, they develop the ice4j ICE library for Java and may be able to comment on this. It may also be useful for Jitsi, Empathy and other softphones to offer a similar feature and if it is practical, please raise the same bug against those packages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTEw8hAAoJEOm1uwJp1aqDpwAQAKaSO1626Q0FbYxkxL/6iEhv 03JCDeAHbpe7GWIYvJipjiq4l7WMxq1afYD7FInp39HOlvjcqjl3Pu//5NWR4043 R1hR/8M7+248Vk6Ss0eFNZuGnlSjl1Dg/ADrVlZTlmvEGjEfcLA20454dWEZWJII fy3yHNPthHeqza/QxYvCt5CjwLotnOyUZXOpIM9VvxAm/GIRLo48fCGQYCmAZsHy mjSnyX/MPoRYXo3OQTrvHjCVZzj/5DR/rNEsvIHannCwQdKJOQrALNJgHi5Q9g6u J3LnF36I+zcdnIle4MS+gjNQ5oVHzZBJ52OsGGFgzBreK4r09OUkpZStRQKpkZ9s iW9oPUNEjpMEafc37MYpCPN6xrGquIDZM2Y8lo3hrF3ZlZytJYlApaIjcTQNk5IK KKsS7UOPmBsoYFIM/qWUppTyWMEdO6KWRjyQxsFyHlQ/HGuDUQLYkk3PginNj46W o7V20ujhct8Lm1ah7KeYxKAJt3AZ6u8GJrgSYE89+ZUBZ5OYtXFXMflq8WCcoEiK B4hCvgCbTzzbsKDOt1S3xDEczeelP+aNbuhHFE+NfkpOuuvkk5K5WqdF2SvSgcYq GH3uZkJ3xmKHG+lfZEYj0P999j6IUMwbY80VhrjE3u7fl8sZA5RHwunftyhqSn7o NxIXj7mL2MBBr8VHcGel =LRNH -----END PGP SIGNATURE----- _______________________________________________ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
