WebRTC

I think it was Firefox 34 that introduced a new feature - Hello.

Hello is a sort of audio + video instant messaging / chat facility, and on Firefox 36 and 37 it is accessed through a new smiley icon on the toolbar.

Hello is based on WebRTC, or Web Real Time Communications - this originally was developed as a peer-to-peer chat facility, but it suffers from the same type of problem that other sorts of messaging technologies suffer from - firewalls and NAT break it, because they stop unsolicited incoming initiation traffic.

As a response to this, WebRTC is evolving by the use of techniques known as ICE, STUN, and TURN - and this is involving the use of STUN and TURN servers, so really, WebRTC is becoming a server based system, rather than a pure peer-to-peer system.

Another characteristic of WebRTC is that it is being built into browsers - so rather than having a separate WebRTC client, you just use your browser - I believe that so far the newest versions of Firefox, Opera, and Chrome are WebRTC enabled.

Now of course the browser producers are aware of the fact that firewalls break WebRTC, so one of the solutions that they are now adopting is to hack a hole through the firewall if it can - and of course on Windows computers, whilst the Windows Firewall may do quite a good job of blocking unsolicited incoming traffic if it is set up to do it, it suffers from a major weakness that not only users, but also application installers can cut holes through the firewall.

So the installation of Firefox 34, 35, 36, 37 will cut a hole through the firewall for itself.

Now if you look at the rules that Firefox creates that cut various holes through the firewall, you find that

• - any TCP port is allowed through
• - any UDP port is allowed through
• - any source IP address is allowed through
• - any destination address is allowed through

and if you dig a little deeper into the settings for the rules

• - they allow access through Firefox to all programmes and services that are running on the computer

So whilst you are running Firefox - your firewall does not block anything.

Nothing.

You might as well switch it off.

The installer for Firefox 36 applies these rules to both the Public Profile, and to the Private profile.

There has been a bit of a discussion on one or two forums about this, and its effect on security, and I think that the installer for Firefox 37 only applies these rules to the Private profile.

The rules for Opera are just the same, but on the version of Opera which I installed some time ago, they were only applied to the Private profile.

I deleted the rules for Chrome a while ago, so can`t tell you what is in them, or how they are applied, but it is a fair bet they are going to be somewhat the same.

However do bear in mind that if you want to use Hello, or WebRTC, across the internet, or across different networks, then the rules will have to exist in the Public profile.

Things you can do

If you are concerned about this, there are a couple of things you can do.

First of all, you can disable Hello - go to the "about:config" menu, and set the entry for "media.peerconnection.enabled" to false.

Then go to Control Panel / Windows Firewall - click on Advanced Settings, and have a look at the Inbound Rules - firewall rules that are enabled are highlighted with a tick in a green circle, so easy to see.

Disable the ones you don`t want.

You probably will not find any, but you can also have a look in Outbound Rules.

Alternatively, go to "Allow a program or feature through Windows Firewall", and untick any programmes that you don`t want to have holes through the firewall.

You will need to have administrator rights to make changes to the firewall.

Another thing that is worth knowing is that like web storage, WebRTC needs JavaScript to be enabled for it to work.

However do remember that whether or not you disable WebRTC within the browser, once the installer has cut the holes in the firewall, they will stay there.

Opera and Chrome

There doesn`t seem to be any consistency in the views expressed on the internet about whether you can disable WebRTC in Opera and Chrome.

Opera itself doesn`t have the facility, however some people say that you can download a plug-in that lets you use Chrome plug-ins on Opera, then you can use a Chrome plug-in to block WebRTC.

However others say it doesn`t work.

It also seems to be quite doubtful if the Chrome plug-in to block WebRTC actually works on Chrome either.

Again, do remember that once the installers for Opera or Chrome have cut the holes in the firewall, it doesn`t matter what changes you make to Opera or Chrome, the holes are still there.

Another security issue

Something else that is emerging is that WebRTC can leak out real IP addresses, even if you are hiding behind NAT, and using a VPN.

Paranoia sets in

Now that would be that, but if you want, you can let a bit of paranoia set in - because I began to think about some other things that have been happening.

First of all, Yahoo has recently been doing a bit of a publicity exercise by telling everybody about a fight it had with various US government security agencies a couple of years ago about them getting access to data on the Yahoo servers - Yahoo hosts millions and millions of email accounts, so the Yahoo servers would be a rich source of data for government agencies to get a hold of. So Yahoo are trying to sell themselves as the good guys fighting off the bad guys, the government agencies.

But at the same, Yahoo is trying to introduce a two stage single factor form of authentication for logging into Yahoo accounts.

Instead of using a password, users register a mobile phone number with Yahoo, then when they want to login to their Yahoo account, they start the process from their browser, Yahoo sends a one-time password in a text message to their mobile phone, the user puts the one-time password into their browser, and they are logged in.

It is a process that has been widely condemned in the security world, as it is single factor, and now whoever is holding your mobile phone has access to your account.

So now there is another reason for being very suspicious of it all - it is well known that inquistive government agencies are monitoring all mobile phone traffic - and even if they only have access to the metadata, it doesn`t matter.

Because as soon as Yahoo sends that text message with the one-time password, the government agency can pick up the fact that the text has been sent, they know that means that the user has their browser open, and if that browser installation has cut holes through the firewall, their computer is wide open.

The one thing I haven`t worked out is how they know which IP address to attack.

Maybe they are working on the basis that soon enough most Windows computers will be running a WebRTC enabled browser and will have holes through their firewalls, so they can just walk in when it suits them - Firefox, Opera, and Chrome cover 85% of the global browser market.

And you can be absolutely certain that where governments create holes, the hackers will start using them as well.

Just in closing - is it just a coincidence that Mozilla recently stopped getting funding from Google, and now gets it from Yahoo ?

• home page
• image gallery
• about this website
• about the colour bar

website design by ron-t

website hosting by freevirtualservers.com

© 2024   Ron Turner

+                                   +  

• grayscale