I really appreciate you directly going to the community for feedback.
As someone who writes software for IoT devices and has worked in the past on security in the IoT space this is sorely needed. By far the biggest issue in my view is that manufacturers are not motivated to take device security seriously since they are largely isolated from any fallout. Device manufacturers already have to pass certification for RF emissions and safety among other things and should have to pass certification for at least a basic security audit on the device and the services the device connects to. Even self-certification would improve the current situation.
For many device types there exists some form of open source OTA update software or a commercial offering. In the last few years there has been significant maturing of the tooling in this space but the security aspect is often left as optional even though the tooling often makes it fairly easy to add. At this point I think the industry just needs a little push to make secure OTA updates the standard.
An example would be an app for associating a device without a screen on to a wireless network. Think IoT devices or Alexa. Saves the user from having to type in the SSID which is a pain.
But #2 historically does not give better returns. Since the information is already public it has already been included in the price of the stock. The vast majority of investors are not smarter than Wall Street.
As someone who has done some gambling in the stock market using this kind of thinking it has not been a good strategy compared to just buying and holding index funds. Sometimes I get lucky and sometimes I get unlucky buying individual stocks but my most best returns have been buying broad index funds and holding them.
This forces all WebRTC connections to only use server-reflexive and relay ICE candidates, and only on the default IP route. While this may cause a QoS hit (two users behind NAT can no longer keep their traffic internal to the NAT), it does allow the issue mentioned here to be fully addressed without disabling WebRTC altogether.
Thanks very much for your reply. I've been trying to enable the preference in Google Chrome Canary on Mac OSX. However, I haven't been able to successfully block the IP leak - I suspect because I haven't configured it correctly. I had to manually create the file "/Library/Google/Google Chrome Master Preferences" and add the setting you suggested. I then reinstalled Chrome Canary and tested but no effect. I also tried editing the user preferences file in ~/Library/Application\ Support/Google/Chrome\ Canary/Default/Preference but that seems to be overwritten by the browser. How should I be configuring this preference? Thanks again.
That doesn't necessarily mean they need to be sent to the server. The two browsers on the same LAN could coordinate via local discovery, establish a socket between themselves, hand that socket to WebRTC, and never tell the two applications running in the browser sandbox what local LAN IPs they use.
As someone who writes software for IoT devices and has worked in the past on security in the IoT space this is sorely needed. By far the biggest issue in my view is that manufacturers are not motivated to take device security seriously since they are largely isolated from any fallout. Device manufacturers already have to pass certification for RF emissions and safety among other things and should have to pass certification for at least a basic security audit on the device and the services the device connects to. Even self-certification would improve the current situation.
For many device types there exists some form of open source OTA update software or a commercial offering. In the last few years there has been significant maturing of the tooling in this space but the security aspect is often left as optional even though the tooling often makes it fairly easy to add. At this point I think the industry just needs a little push to make secure OTA updates the standard.