So I know that I mentioned Discord as a possible replacement for TS, and a free one at that to free up one of Treks many expenses. I came across a thread from a guy on the OTG forums that I thought I would post here. I don't understand it at all but I'm sure some of you tech guys will get it. I just wanted to make sure we know as much as we can about it by chance that it eventually gets more consideration here.
And then he had a follow up post:The underlying tech in Discord is WebRTC. This is a peer to peer protocol inside the browser. It is not official nor complete. At work I wrote a small web app to test out the bandwidth requirements for WebRTC client for use over satellite on oil rigs in the Gulf of Mexico so I am quite familiar. It contains three underlying channels: Audio, Video and Data. While both the Audio and Video channels require user permission to activate, the Data channel does not. This means that the browser on the other end of the connection can initiate a data message and send that data over to you without you ever having to allow it or even know it is happening. This is considered a high risk feature by Google and they will be removing the functionality from Chrome in an upcoming release. Firefox has deprecated the protocol until a security change has been implemented. Until then they advise to only use WebRTC outside of production environments (i.e. only use for testing and prototyping)
The reason no explicit permission for data was included is because the peer to peer style connection requires your explicit permission to connect to another client, so that meant data was implied. Obviously in retrospect the developers are finding that not to be the best way to handle things.
This does not mean that you are in any particular danger if you use WebRTC or Discord. It is simply a gaping security hole that someone could very, very easily exploit if they chose to do so. It would be as simple as creating an account, joining the "server" then sending out malicious code to all connected clients. As far as the browser is concerned you have already said you are ok with accepting that malicious code when you made the connection. I put quotes around the word server because in WebRTC there is no true server for communication. all the server does is point people at each other then the individuals handle all messaging back and forth from that point forward.
Because WebRTC is not a complete spec yet, it is not considered ready for production. Despite that fact there are a few companies (Discord included) that have decided to use the existing WebRTC spec for production. They are doing so at a "Use at Your Own Risk" level.
None of this is meant to say that anyone should avoid using Discord or WebRTC. I just want to make sure we are well informed about what we are getting into since it has already come up that this could replace Mumble for us. I would recommend holding off on adopting any product that uses WebRTC until mid next year when the spec is to be completed and the security changes are expected to be in place.
Also my gut tells me that you get what you pay for, and free is never really free. But, for small groups that need a quick easy way to communicate outside of the guild only mumble server this is a great alternative keeping in mind the potential security risks in its current state.
Side note: and easy way to see if any web communication is using WebRTC is to use Chrome, open the communnication then hit F12 and look at the console. You should see toms of WebRTC packets going back and forth.
I like Discord. It uses unsafe technology underneath. Free is never free.
And one last one:It is a very big hole. However, it is unlikely that it will be exploited since you have to choose who you are connecting to. The really threat is if there is someone who connects to unknown clients who pick up some malicious code that looks to replicate itself. Then you jump in OTG chat with that person thinking you are safe because you are with people you know and they pass off that code to you which runs silently behind your browser collecting everything you do in that browser. Like online Christmas shopping.
Now that is a long shot worst case scenario, and highly unlikely. But the fact that it IS a possibility is why browser companies are back peddling and trying to clean it up quickly. By quickly I mean, most changes of this magnitude in Chrome take anywhere form 18-24 months to implement and test and publish. This one is going through in about 9 months. While that may seem slow to you and me and joe user, in development terms that's pretty fast. So yeah they are taking it seriously.
But I want to say again, I use WebRTC myself in other applications and have tested Discord as well. This is not meant to scare anyone out of testing the software. Just be sure you know who you are talking to and keep up to date virus/malware protection at all times.
The security concerns mentioned were not specifically about Discord but about the underlying technology. Discord has not been shown to have any known security issues other than what the low level communication protocol brings to the table. I do not personally use Discord, not for security reasons but because Mumble suits my needs and Discord is unnecessary for me. But I do think there are folks still using it.