[tor-bugs] #29205 [Obfuscation/Snowflake]: Look into using Firefox for the WebRTC implementation

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Mar 2 14:37:39 UTC 2019 

#29205: Look into using Firefox for the WebRTC implementation
-----------------------------------+---------------------------
 Reporter:  cohosh                 |          Owner:  (none)
     Type:  task                   |         Status:  new
 Priority:  Medium                 |      Milestone:
Component:  Obfuscation/Snowflake  |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:                         |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:  Sponsor19
-----------------------------------+---------------------------

Comment (by cohosh):

 Replying to [comment:5 arma]:
 > I had thought the idea here was to drive an actual firefox to talk
 webrtc to the snowflakes. That way Tor users would be talking webrtc just
 like firefox, because it *would* be firefox. Rather than linking in a
 library and trying to call it in the same ways that Firefox calls it (and
 react to errors and network conditions etc in the same way that Firefox
 reacts).
 >
 > And we picked Firefox because "we already have one" in tor browser
 (though tor browser currently disables webrtc at compile time, but hey,
 nobody said this would be easy).
 >
 > So, kind of like how meek launches a browser and drives it to do the
 domain fronting connection.

 This was the idea, I had a conversation with dcf over email about it. Some
 key points brought up were:

 - Using a headless browser is difficult and meek just moved to using uTLS
 for this reason (#29077).

 - What you mentioned with the currently disabled WebRTC:

  "Omitting WebRTC is a safety measure to avoid IP address leaks; instead
  of disabling WebRTC through a runtime configuration option, the Tor
  Browser devs have decided not even to compile it."

 - WebRTC fingerprintability isn't currently as much of an issue as, for
 example, the Firefox TLS fingerprints. There are so many variations in
 WebRTC implementations at the moment that fingerprinting is a long way out

 So overall, I would say it's still something to consider, but we should
 evaluate it along with other options such as #28942 and try to figure out
 (esp. since headless Firefox is going away for meek) whether or not it
 actually makes our live easier. My understanding is that the "makes our
 lives easier" bit is more important at the moment than "stop all
 conceivable future fingerprinting attemps" especially since possible
 attempts are not well-defined at the moment.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29205#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list