Breaking the specification, locally, for connectivity
74 views
Skip to first unread message
guest271314
Jul 12, 2025, 5:18:36 PMJul 12
to discuss-webrtc
Can't I break the specification and create SDP exactly once, to avoid exchanging SDP, and instead simply reuse the same SDP (v, m, t, s, a=candidate, a=ice-ufrag, a=ice-pwd, a=fingerprint) for Data Channel connectivity over localhost, given there's zero "security" issues for local to local communication on the same machine?
Harald Alvestrand
Jul 14, 2025, 1:43:29 AMJul 14
to discuss...@googlegroups.com
To figure out whether localhost connections can ever be a security issue, please Google "localmess".
lør. 12. juli 2025, 23:18 skrev guest271314 <guest...@gmail.com>:
Can't I break the specification and create SDP exactly once, to avoid exchanging SDP, and instead simply reuse the same SDP (v, m, t, s, a=candidate, a=ice-ufrag, a=ice-pwd, a=fingerprint) for Data Channel connectivity over localhost, given there's zero "security" issues for local to local communication on the same machine?
--
This list falls under the WebRTC Code of Conduct - https://webrtc.org/support/code-of-conduct.
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/discuss-webrtc/c322f732-e491-4433-9bfe-7fbc13a40911n%40googlegroups.com.
guest271314
Jul 14, 2025, 9:16:19 AMJul 14
to discuss-webrtc
Yeah, I do not consider *any signal communications to be "secure".
Locks are for honest people.
Bill Binney and his colleagues disclosed how ThinThread worked "to monitor basically the entire world." last century. There was PRSIM, too, which all the major tech players acquiesed to the U.S. Government to participate in. Who knows how many undisclosed corporate/gov'ment deals are going on right now.
We know about COINTELPRO before there was any "smart phone" released by Kyocera, and before any Palm Pilot, or Blueberry devices.
I'd imagine the average Android (and/or Apple) device has dozens of network connections happening at any given time.
We know that if you use Google voices for Web Speech API your text is sent to remote Google servers, and if you use speech to text your voice is recorded and sent to remote Google servers on desktop.
I'm not one of those humans rolling around with a cell phone in my hand all day long, even when I cross busy streets. I use the cell phone for a cell phone. And I'm under no impression that there's any *security* whatsoever for any signal communications - none that can be **verified**.
I'm on my own machine, on desktop, trying to stream to and from local applications - because asking nicely for this or that feature to be implemented using existing technologies already present in the Chromium Project just get me banned from making feature requests.
I'm on some do what I want on my machine stuff, knowing that there is no such thing as "security" on these devices, or really anywhere in this inherently insecure natural world.
Thanks though.
> So we need people to have weird new
ideas ... we need more ideas to break itand make it better ...
> Use it. Break it. File bugs. Request features.
- Soledad Penadés, Real time front-end alchemy, or: capturing, playing,
altering and encoding video and audio streams, without
servers or plugins!
I'm on some do what I want on my machine stuff, knowing that there is no such thing as "security" on these devices, or really anywhere in this inherently insecure natural world.
Thanks though.
> So we need people to have weird new
ideas ... we need more ideas to break itand make it better ...
> Use it. Break it. File bugs. Request features.
- Soledad Penadés, Real time front-end alchemy, or: capturing, playing,
altering and encoding video and audio streams, without
servers or plugins!
guest271314
Jul 14, 2025, 9:50:32 AMJul 14
to discuss-webrtc
It's mayonnaise calling milk white...
Enable Protocol Monitor in DevTools on Chrome and observe the tab freeze due to the volume of messages over QUIC and CDP...
Is somebody exlcuding CDP from being capable of "tracking" users? Histograms, origin trials, and so forth...
Google Chrome Labs rolls out Isolated Web Apps with all of the "cross-origin" isolation ideas - and gates WICG Direct Sockets behind IWA's.
Well, if I'm more interested in Direct Sockets than the idea of an "Isolated Web App" then I'm going to get out of whatever alleged "sandbox" supposedly set up using one or several of the *many* Web API's that provide that functionality, including WebRTC.
So, you've allegedly cross-origin isolated the Isolated Web App. But wait... I can make HTTP, HTTPS, WS, WSS, WebRTC and Web extension connections to the IWA. So you really don't have a cross-origin, isolated application.
I'd go so far as to assert it is IMPOSSIBLE to completely isolate origins on any window in a browser - given the amount of Web API's already available, and that keep being spit out. Web Bluetooth, Web Serial, hell Web Audio API, or just images and media files.
So the shiver me timbers shock value ain't really there for ethical hackers that already know there is no "security" for any signal communications.
You want "security" turn off the device and go to the library, pick a random book and read it at a table, then put the book back on the shelf.
Enable Protocol Monitor in DevTools on Chrome and observe the tab freeze due to the volume of messages over QUIC and CDP...
Is somebody exlcuding CDP from being capable of "tracking" users? Histograms, origin trials, and so forth...
Google Chrome Labs rolls out Isolated Web Apps with all of the "cross-origin" isolation ideas - and gates WICG Direct Sockets behind IWA's.
Well, if I'm more interested in Direct Sockets than the idea of an "Isolated Web App" then I'm going to get out of whatever alleged "sandbox" supposedly set up using one or several of the *many* Web API's that provide that functionality, including WebRTC.
So, you've allegedly cross-origin isolated the Isolated Web App. But wait... I can make HTTP, HTTPS, WS, WSS, WebRTC and Web extension connections to the IWA. So you really don't have a cross-origin, isolated application.
I'd go so far as to assert it is IMPOSSIBLE to completely isolate origins on any window in a browser - given the amount of Web API's already available, and that keep being spit out. Web Bluetooth, Web Serial, hell Web Audio API, or just images and media files.
So the shiver me timbers shock value ain't really there for ethical hackers that already know there is no "security" for any signal communications.
You want "security" turn off the device and go to the library, pick a random book and read it at a table, then put the book back on the shelf.
Reply all
Reply to author
Forward
0 new messages