[tor-bugs] #14836 [Tor Browser]: Can we compile in WebRTC to allow QRCode bridge entry?

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 9 22:00:08 UTC 2015


#14836: Can we compile in WebRTC to allow QRCode bridge entry?
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:  tbb-
     Type:  task                                 |  team
 Priority:  normal                               |         Status:  new
Component:  Tor Browser                          |      Milestone:
 Keywords:  ff38-esr, tbb-usability-stoppoint-   |        Version:
  wizard                                         |  Actual Points:
Parent ID:                                       |         Points:
-------------------------------------------------+-------------------------
 We should evaluate if we can re-enable the compilation of WebRTC in Tor
 Browser. There are two reasons for this:

 1. Mozilla may remove the WebRTC compile time switch of WebRTC in future
 builds.
 2. Enabling WebRTC at compile time may enable Tor Launcher to make use of
 the WebCam for scanning QRCodes of bridges.

 Mozilla's security team claims that setting media.peerconnection.enabled
 to false will completely disable content access to all WebRTC APIs, which
 should be sufficient for us. However, my review of the FF31 source showed
 that several other things get compiled in to the browser that may or may
 not be directly tied to the peerconnection APIs. For example RTSP and SCTP
 protocol support gets compiled in, and there may be other ways to use
 these protocols elsewhere in the browser. See:
 https://gitweb.torproject.org/tor-browser-
 spec.git/tree/audits/FF31_NETWORK_AUDIT

 FWIW, simple PoC's such as https://diafygi.github.io/webrtc-ips/ fail if
 media.peerconnection.enabled is unset, but again, more investigation is
 needed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14836>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list