[tor-talk] Please help evaluate WebRTC for Tor Browser safety

Mike Perry mikeperry at torproject.org
Mon Feb 9 22:28:48 UTC 2015

There seems to be a lot of interest in WebRTC Tor safety lately on this
list. The simple https://diafygi.github.io/webrtc-ips/ PoC does not work
against Tor Browser for two reasons:

1. We don't compile in WebRTC at all.
2. We set the pref 'media.peerconnection.enabled' to false.

We would like to change property #1 so that it is easier to support
QRCode-encoded bridge entry and bridge sharing in Tor Launcher
(https://trac.torproject.org/projects/tor/ticket/14837). In my testing,
and according to Mozilla security engineers, it should be safe for us to
compile WebRTC in and set media.peerconnection.enabled to false, but
there may be other vectors to this code that we've all missed to date.

Hence, this is a request to interested parties to try harder to bypass
Tor in a stock Firefox using WebRTC and associated protocols (RTSP,
SCTP) with media.peerconnection.enabled set to false. Again, the
existing PoC fails in this case for me, but we need more in-depth tests.

For more info, see:
https://trac.torproject.org/projects/tor/ticket/14836 and

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150209/4124222f/attachment.sig>

More information about the tor-talk mailing list