Media/WebRTC/Privacy

From MozillaWiki
< Media‎ | WebRTC
Jump to: navigation, search

This page gathers information related to privacy in WebRTC. This is a Work-In-Progress and more categories need to be added.

Note: this page is for documenting options, not for discussion.

Address leakage and VPNs

Prefs that control ICE Candidate generation

All of these can be set from about:config, or controlled via an extension

  • media.peerconnection.ice.force_interface -- string (default "") -- interface name to match for ICE (Firefox 43, uplifted to 42, requested for 41) -- bug 1189040
    • If set, and there is no interface that matches exactly, NO candidates will be generated
    • If set and there is a match, that interface will be used solely for ICE. Local (LAN) and external IP addresses for that interface will be used for ICE candidates. This can be pointed at a single external interface to hide/ignore internal (VM) interfaces, unconnected interfaces or VPNs (e.g. work VPNs). It can also be set to a VPN interface, and then ICE will only use the VPN (and if the VPN is down, ICE will fail).
  • media.peerconnection.ice.relay_only - boolean (default false) -- only generate relay (TURN) candidates for ICE (Firefox 42) -- bug 1189030
    • This can be used to block all local (LAN) and external IP addresses from being generated as candidates.
    • An example use-case would be avoiding exposing your external IP address to a caller (such as when avoiding disclosing you're in town Xxxxx when having a call with someone you have a protection order against; roughly the equivalent of blocking outgoing caller-id on the PSTN bug *-whatever)
    • NOTE: does not hide your external IP address from the TURN server itself (see use_document_iceservers and default_iceservers to restrict to a TURN of your choice).
  • media.peerconnection.use_document_iceservers -- boolean (default true) -- use STUN/TURN servers provided by the page (all recent Firefox versions)
    • If set to false and media.peerconnection.default_iceservers is set to the server(s) you want to use, only those servers will be used, and no server provided by the page will be used.
    • This can be useful for corporate 'gateway' TURN servers, or for a TURN server hosted by a VPN provider.
  • media.peerconnection.ice.default_address_only -- boolean (default false) -- limit ICE candidates to the default interface only (Firefox 43, uplifted to 42) -- bug 1189041
    • The default interface used for general routing is identified and only that address is used for candidate generation
    • LAN IP addresses are not generated, the external IP address for that interface is (for a VPN, the exit portal of the VPN)
    • If your router does not support 'hairpinning', a within-LAN call will end up being routed through an external TURN server
  • media.peerconnection.ice.no_host -- boolean (default false) -- eliminate all local addresses from the candidates (Firefox 51) -- bug 1297416
  • media.peerconnection.enabled -- boolean (default true) -- enables/disabled ability to create RTCPeerConnection objects (all recent Firefox versions)

For easier comparison of the different options:

Pref Local candidates External candidates Relay candidates No candidates Interfaces gathered
force_interface Yes Yes Yes If pointing to non-existing interface Only the configured interface
relay_only No No Yes If no TURN server is provided All interfaces will be used to try to connect to the relay
use_document_iceservers Yes Yes Yes N/A All interfaces will be used to try to connect to the relay
default_address_only Yes Yes Yes N/A Only the interface with the default route
no_host No Yes Yes N/A All interfaces will be used
peerconnection.enabled No No No Always N/A

Note 1: the comments in the table assume that the pref in each row has been altered from its default value.
Note 2: 'External candidates = Yes' always requires a STUN server to be configured.
Note 3: 'Relay candidate = Yes' always a TURN server to be configured.

Hooks to control access to createOffer/createAnswer

Firefox 43 (uplifted to 42) supports hooks that allow an extension to allow or deny calls to createOffer and createAnswer -- bug 1189060

  // Add-ons can override stock permission behavior by doing:
  //
  //   var stockObserve = WebrtcUI.observe;
  //
  //   webrtcUI.observe = function(aSubject, aTopic, aData) {
  //     switch (aTopic) {
  //      case "PeerConnection:request": {
  //        // new code.
  //        break;
  //      ...
  //      default:
  //        return stockObserve.call(this, aSubject, aTopic, aData);
  //
  // See browser/modules/webrtcUI.jsm for detail

Example extension: http://hancke.name/tmp/verhueterli.xpi (source: https://github.com/fippo/plumber). Note: unsigned extensions require flipping a pref to use (and can't be used in Beta 41).