WebRTC Copy – OTR and fast file transfers over WebRTC
rtccopy.comThe problem with sites like these are that you have to trust the site owner to not just add some javascript to the page which breaks the security of your conversation.
Except this site is worse, because they also let their third party user tracking provider run arbitrary script on every page too.
Nice as a demo of technology though.
I've been saying the same thing every time I encounter one of these articles (maybe I'll blog about it and just link people to it):
The best way to do encrypted WebRTC transfers is to have the whole app in a single page, using as little code as possible (so it is easily auditable). NoScript/etc won't do much when you have to trust the author and can't audit it. People should be able to download the page from the GitHub repo (or wherever) and store it wherever they want. The page will generate a random URL that also contains a secret key (e.g. http://www.myservice.com/somerandomid/#98h9g78g2188t7231gy34...), which you can share with the receipient.
Since the URL fragment is never transmitted to the server, it is private. The WebRTC service can encrypt the content appropriately and send it to the recipient, where it will be decrypted. Voila, encrypted p2p file transfers without having to download anything.
Thanks for the feedback.
In defense of this implementation -
- The only external JS loaded on this site is google analytics. Feel free to block this using something like noscript :)
- WebRTC datachannel connections on this site don't use just (optionally) OTR. They have DTLS enabled within the browser. OTR just adds an authentication layer that DLTS currently lacks. So that even if the OTR implementation here was completely compromised, the only possible attack would still be a MiTM on the DTLS channel.
- It's open source (https://github.com/erbbysam/webRTCCopy), so it's available to be hosted elsewhere and all of the libraries used could be re-downloaded.
-Sam
Does Google now have a log that I visited:
And if somebody else had visited that same room, would they have a log of that too?
It looks like this is leaking the room name to Google Analytics. After thinking about this more, I'm going to go ahead and remove that. I should be able to monitor the server itself to make sure it isn't getting overloaded.
Even if Google weren't currently sucking up this information, it would still have been a wise decision to remove it. They can change their JavaScript at any point without you noticing and start logging it. Malicious intent not required.
Are you hosting the site through Github Pages?
No, I currently just manually keep the site in sync with the repository. Not exactly the most professional system but it got the job done. I'm going to look into that(not sure exactly how it works, but I do need to keep a node.js server running as well for webrtc negotiation) , as well as potentially just installing git on the server and have it sync up to the repository.
Great!
If your concern is the security of 3rd party JS you should already be using NoSript/ScriptSafe [1]. Keep same-domain policy as safe and 3rd party domains blocked and opt-in only by default.
The day-to-day UX experience of browsing the web is only minimally affected and significantly safer.
Better than adblock.
If your concern is the host operator, well obv can't circumvent that. Unless you use OSS chrome plugins and client code verifications (ala CryptoCat). But that's also an imperfect solution (cue tptacek).
[1] https://chrome.google.com/webstore/detail/scriptsafe/oiigbmn...
I already use RequestPolicy and NoScript.
My concern was that he made the security/privacy worse than it needed to be, for other people, by including Google Analytics on the page.
He has now stated that he's seen that the room name is in fact being leaked to Google Analytics, and so has removed it. But even if he hadn't seen this, you still shouldn't include any third party hosted scripts on pages like these because you've no idea if/when they'll change in a manner which compromises security/privacy in future. No malicious intent required.
If your concern is the host operator, well obv can't circumvent that.
Of course we can circumvent that. Make a plugin to alert the user whenever the JS changes.
What do you base your initial known good JS on though? What is the user supposed to do with the information that the JS has changed? A diff of minified JS isn't that helpful.
The author would say "the current version is 0.6.4 and its JS hashes to this SHA256 hash: xxx"
Open source already does this for binaries. Why not JS?
This assumes it's even possible to get a consistent hash of all javascript executing on a page, though.
Script on a site like this should not be minified. It should be easily readable and well commented, so that people can audit it properly.
The problem with sites like this is that readers such as mike-cardwell are not cool enough to download the sources themselves and host it where they trust it.
I run my own federated XMPP server from my own trusted hardware in my own trusted building, with mandatory TLS and OTR.
I wont be interested in running web based mail/chat clients until we get to a point where browsers have built in APIs that allow people to write trustable apps.
Can anyone explain please, whether WebRTC is a protocol or not? After reading this: http://www.webrtc.org/faq#TOC-Why-should-I-use-WebRTC- I thought it's just an API to enable other protocols (XMPP/Jingle, SIP etc.) to be built through JavaScript. Or is it a protocol after all?
I'm also a bit curious about the protocol part, found this tidbit on their site "The session components are built by re-using components from libjingle, without using or requiring the xmpp/jingle protocol." (http://www.webrtc.org/reference/architecture#TOC-Transport-S...)
I think this is a really nice overview for WebRTC: http://www.html5rocks.com/en/tutorials/webrtc/basics/ There is a section around standards and protocols.
Security issues are one thing, but I've been using this site as a simple way to transfer (nonsensitive) large files without having to wait for the file to go through a third party server, sit through the ads required to pay for the bandwidth for such a server, or require the recipient to download specialized software for a P2P transfer. For this purpose it's very convenient.
You know what they say about javascript browser crypto, but for what it's worth, it worked fine for transferring a file from my desktop to my phone (Firefox on both ends).
I wonder: when using WebRTC between two devices on a single LAN, is my ISP involved (possibly: beyond bootstrapping the process)?
1. WebRTC is natively compiled into browsers. This app uses WebRTC's data channel to transfer files and WebRTC guarantees that the data channel is encrypted (via DTLS). So - tehcnically the crypto is not javascript based - it's native code similar to crypto over HTTPS.
2. WebRTC tries to create a P2P connection between the devices. The ISP is only involved in the initial bootstrapping of the P2P connection - the actual data packets travel over the LAN and not through your ISP. In the rare case a P2P connection can't be established, a relay might be used (though this is optional).
A minor note on 1. - rtccopy.com does use (optionally) OTR in javascript on top of the DTLS channel in order guarantee identity (something not currently guaranteed with the DTLS channel).
It would be lovely if it would explain what features it needs out of Chrome Canary.
Chrome Canary is the only Chrome version that has working SCTP (reliable) datachannel support at the moment. It's broken(undetectable also) in every version before that (you can try, the website won't stop any version, just display warnings).
I did have unreliable datachannel support initially, but as both Firefox & Chrome now support reliable, I see no reason to keep that overhead/extra code around. Hopefully working reliable datachannels in Chrome will reach the primary version soon!