Endpoint Vulnerability

TLS TURN and STUN connections silently fail to simple TCP connections

Description

Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to disclosure of credentials through a Man-in-the-middle (MITM) attack as the connection is not encrypted.

Affected Products

Firefox

References

CVE-2015-0834,