mumble user info leaks?

[ioerror]

I've noticed that mumble will report details to an unknown client - or one which does not have the server password.

Specifically, I was able to see tthe number of users on a server as well as the server version number.

Shouldn't that information only be disclosed post-auth?

[ioerror]

In this case, I've seen this on a server running 1.2.10 and it reported 2/100 users.

[ghost]

This behaviour is acceptable, even for non-authenticated users.

If you don't want your server to disclose such information, set the allowping configuration setting to false.

Shouldn't that information only be disclosed post-auth?

Some users like to be able to see which of their favourite servers are currently populated, without having to connect to each one. The disclosure of such information via the pings make the implementation easier.

[ioerror]

This doesn't make sense - they did the connection - that is how they received the information. It seems that it should only be available to people with the authentication token. If allowping is set to false, doesn't that mean that even post-auth, it would be disabled?

[ghost]

The information that is visible in the server browser is obtained via a UDP ping (its protocol is described here). This is where you are seeing the information, correct? This information is provided outside of the regular Mumble protocol, meaning (a) it's not encrypted, and (b) the server does not do any authentication before replying.

If allowping is set to false, doesn't that mean that even post-auth, it would be disabled?

Correct, but if you are already connected to the server using the standard TCP connection, there would be no reason to query the information using a different channel.

[ioerror]

On 9/17/15, Tim Cooper notifications@github.com wrote:

The information that is visible in the server browser is obtained via a UDP ping (its protocol is described here). This is where you are seeing the information, correct?

I used the Debian GNU/Linux client and hovered over a server in my "favorite" list of servers. It could be that this data was gathered with such a packet.

This information is provided outside of the regular Mumble protocol, meaning (a) it's not encrypted, and (b) the server does not do any authentication before replying.

Yowza. OK - that is unexpected.

If allowping is set to false, doesn't that mean that even post-auth, it would be disabled?

Correct, but if you are already connected to the server using the standard TCP connection, there would be no reason to query the information using a different channel.

Ok - so then the allowping disables the information on the UDP channel but effectively all the same information would be given to a TCP client?

[ghost]

I used the Debian GNU/Linux client and hovered over a server in my "favorite" list of servers. It could be that this data was gathered with such a packet.

Yup, that's how it's done.

Ok - so then the allowping disables the information on the UDP channel but effectively all the same information would be given to a TCP client?

Yes.

[hacst]

I don't think number of users is visible to an unauthenticated user. The version is exchanged before the explicit authentication though as it's important for backwards compatibility to do that as early as possible.

In case you haven't seen it yet you can find our (unfinished) protocol description on: https://mumble-protocol.readthedocs.org

[ioerror]

On 9/17/15, Stefan Hacker notifications@github.com wrote:

I don't think number of users is visible to an unauthenticated user. The version is exchanged before the explicit authentication though as it's important for backwards compatibility to do that as early as possible.

I certainly see the number of users.

In case you haven't seen it yet you can find our (unfinished) protocol description on: https://mumble-protocol.readthedocs.org

I've seen this document - it is helpful, thanks.

[hacst]

Well. I meant visible through the control channel protocol. Having it be part of the UDP ping outside of the normal protocol is - as bontibon said - a feature and can be switched of if that information is sensitive to you.

[Kissaki]

Does disabling allowping solve this for you?