[webrtc-pc] Validate an ICE server url is missing length check for username (#3049)

• From: Philipp Hancke via GitHub <sysbot+gh@w3.org>
• Date: Mon, 28 Apr 2025 18:36:14 +0000
• To: public-webrtc-logs@w3.org
• Message-ID: <issues.opened-3025814077-1745865372-sysbot+gh@w3.org>

fippo has just created a new issue for https://github.com/w3c/webrtc-pc:

== Validate an ICE server url is missing length check for username ==
The "validate an ICE server URL" steps in
https://w3c.github.io/webrtc-pc/#set-the-configuration
do not specify a length check on the username for TURN urls.

RFC 8489 limits the username length to 509 bytes (down from 512 bytes in RFC 5389).
This has led to diverging behavior which is [trivally observable](https://jsfiddle.net/fippo/7xot4avw/7/)
* Firefox throws an InvalidAccessError but never updated for RFC 8489 so throws at 512 characters (and has a typo in the error message).
* Safari throws at 509 characters but it throws a TypeError.
* Chromium silently ignores usernames longer than 509 characters since this caused the ["NAT SlipStream" attack in 2020](https://datatracker.ietf.org/meeting/110/materials/slides-110-rtcweb-nat-slipstream-00) (thanks @alvestrand!) and never sends the STUN packets.

There is [no WPT covering this](https://wpt.fyi/results/webrtc/RTCConfiguration-iceServers.html).

Technically Chrome is following the spec and might have frustrated attackers.
But it seems easier to align on helping developers and add the following bullet point:
* If parsedURL's' scheme is "turn" or "turns", and the UTF-8 representation of server.username exceeds the 509 byte limit defined by RFC 8489 section, then throw an InvalidAccessError.

It is unclear to me why Safari attempts to restrict the credential in the same way [here](https://github.com/WebKit/WebKit/blob/e72e89897081efd608c057fe8c33f468a10bda4b/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp#L551). The credential is never transmitted over the network in clear but only input to the TURN authentication hash.

Semi-related, why is "do not exist" used in step 7 and therefore forbids rejecting an empty username?
Apparently 3/4 implementations [do not agree either](https://wpt.fyi/results/webrtc/RTCConfiguration-iceServers.html?label=experimental&label=master&aligned). What is the TURN client supposed to put into the username field? Firefox actually puts an empty string there which is unlikely to be useful and fails to proceed with an empty password.


Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/3049 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 28 April 2025 18:36:15 UTC