Hacker News new | ask | show | jobs
by umarniz 2056 days ago
Heads up before opening the link, your IP is leaked to anyone who is watching the same video.

Have spent only a couple of minutes looking at it but it works by connecting to a websocket server where everyone who watches the video announces themselves, when 2 people are watching the same video a WebRTC data channel is opened for streaming video content.

Have you guys considered the security aspect of such a service? Specially a data channel open between 2 anonymous party is a very nice attack vector imo.
3 comments
MaxBarraclough 2056 days ago
> when 2 people are watching the same video a WebRTC data channel is opened for streaming video content

Is this enabled by default in modern browsers?

link
georgyo 2056 days ago
Yes
link
29athrowaway 2056 days ago
Flag it then.
link
Anil1331 2056 days ago
Yes that's a pretty interesting point.

Datachannels by themselves are secure since all videoconferencing software use the same technology to connect users and there are no visible security concerns.

Also we make sure the data being transferred is not malicious by having checks for data consistency

link
qppo 2056 days ago
That's a bad comparison, since they're fundamentally different applications.

Video conferencing is multicast, video streaming is broadcast. I can essentially opt in to opening a data channel to a peer because its core to the technology and feature set. I don't expect opening a link to a video exposes me to another random person or computer watching the same video.

Another fundamental difference is that video conferences are temporary. Hosted videos are persistent. I can just have a machine hang out watching a video on loop and sniff peers coming in, quite reliably if the video is popular.

Another point I'd bring up is that video conferencing apps' threat model is essentially around unauthorized access. It's dealt with by obscuring the video stream's link, making it temporary, and securing it behind an authorization protocol (on Zoom you have login, password, and manual admitting by the host, for example). That doesn't really fit if you're hosting videos to be persistent.

link
nerdbaggy 2056 days ago
Huh? All WebRTC is unicast.
link
Anil1331 2056 days ago
Well first thing even in the case of video streaming the url changes with time with the current security measures and hence valid only for certain time

My second point w.r.t comparison is regarding the security of data channels of webrtc which is a pretty secure channel which is used in video conferencing as well but there is no known security loopholes in that and thus no concern

link