w3c / webrtc-stats

WebRTC Statistics
https://w3c.github.io/webrtc-stats/
Other
129 stars 47 forks source link

Do not expose unknown usernameFragment to stats #789

Open fippo opened 3 days ago

fippo commented 3 days ago

https://github.com/webtorrent/webtorrent/issues/288#issuecomment-2433534469 points out that the remote ICE usernameFragment (added in https://github.com/w3c/webrtc-stats/pull/611) can act as a sidechannel (and while it is authenticated, it lacks encryption).

In theory one can skip signaling in one direction that way. We should only expose the remote usernameFragment on prflx candidates if it is known by signaling.

alvestrand commented 1 day ago

I think this is an obvious fix, and should be marked "ready for PR".