Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thanks for the feedback.

In defense of this implementation -

- The only external JS loaded on this site is google analytics. Feel free to block this using something like noscript :)

- WebRTC datachannel connections on this site don't use just (optionally) OTR. They have DTLS enabled within the browser. OTR just adds an authentication layer that DLTS currently lacks. So that even if the OTR implementation here was completely compromised, the only possible attack would still be a MiTM on the DTLS channel.

- It's open source (https://github.com/erbbysam/webRTCCopy), so it's available to be hosted elsewhere and all of the libraries used could be re-downloaded.

-Sam



Does Google now have a log that I visited:

https://rtccopy.com/#csFXmvXW

And if somebody else had visited that same room, would they have a log of that too?


It looks like this is leaking the room name to Google Analytics. After thinking about this more, I'm going to go ahead and remove that. I should be able to monitor the server itself to make sure it isn't getting overloaded.


Even if Google weren't currently sucking up this information, it would still have been a wise decision to remove it. They can change their JavaScript at any point without you noticing and start logging it. Malicious intent not required.


removed - https://github.com/erbbysam/webRTCCopy/commit/c1f35404414d63...


Are you hosting the site through Github Pages?


No, I currently just manually keep the site in sync with the repository. Not exactly the most professional system but it got the job done. I'm going to look into that(not sure exactly how it works, but I do need to keep a node.js server running as well for webrtc negotiation) , as well as potentially just installing git on the server and have it sync up to the repository.


Great!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: