WebRTC and browser security

Pas de réponses
strypey
Hors ligne
A rejoint: 05/14/2015

I've seen a few people raising serious security concerns about WebRTC in the fediverse, for example:
https://social.alternativebit.fr/objects/6247b670-faac-4b73-b3d5-de35b03b9816

There is advice about hardening or disabling WebRTC in the Trisquel wiki:
https://trisquel.info/en/wiki/tweak-your-browser-enhance-security-and-privacy
https://trisquel.info/en/browser/addons/disable-webrtc

We have had a lot of discussions in the Trisquel forums about WebRTC and free code software that uses it, including voice/ video calling apps (eg Jitsi Meet, NextCloud Talk), and WebTorrent apps (eg PeerTube):

2018-02: https://trisquel.info/en/forum/feature-request-webtorrent
2018-01: https://trisquel.info/en/forum/videotelephony-trisquel-7
2018-01: https://trisquel.info/en/forum/privacysecurity-services-and-software#comment-126382
2018-01: https://trisquel.info/en/forum/jitsi-meet
2017-11: https://trisquel.info/en/forum/free-software-replace-skype#comment-123248
2017-06: https://trisquel.info/en/forum/dns-leaks#comment-116995
2017-04: https://trisquel.info/en/forum/wire-free-software-now#comment-113293

So, since a lot of free code software is being built on top of WebRTC, I think it would be good to see if we can come to a community consensus on what we think about it.

Is it a good thing, that needs some security hardening work? If so, to what degree has that been done in the version of WebRTC that ships with ABrowser in Trisquel? What more could be done, and what is needed to get it done?

Is it a bad thing? If so, what do we propose to use instead for all the free code software that depends on it? Should WebRTC support be removed from ABrowser, or turned off by default? Should we stop endorsing software that depends on WebRTC, and start promoting alternatives?

If this discussion is taking place (or has already taken place), can someone provide some links to where it took place, or documentation of what was decided?