Ensure Use of Constant-Bitrate Codecs
xloem opened this issue · 2 comments
I create this issue to represent the codec size concerns written up at https://crysp.uwaterloo.ca/opinion/wire/ .
It has been known for some time (e.g., WMM06, WBMM07, and WMSM11) within the system security academic community that using variable-bitrate codecs within an encrypted tunnel leaks information about the communication. Since encryption does not hide the length of the messages being transmitted, the bitrate of a conversation over time can be observed by a passive network attacker, even without access to the encryption keys in use. In some cases, knowledge of the bitrate changes is sufficient to reconstruct the unencrypted conversation with high accuracy. Consequently, while variable-bitrate codecs use the available bandwidth more efficiently, using constant-bitrate codecs is important for security.
The security whitepaper mentions that Wire uses the Opus codec to transmit audio data. The whitepaper does not mention what codec is used for video data. Opus supports both variable- and constant-bitrate encodings, so it is unclear if Wire is vulnerable to traffic analysis. In any case, Wire should ensure that constant-bitrate codecs are used for both audio and video data, and that this is clearly stated in the security whitepaper.
Hi, thanks. It's something we're considering for the next version of our calling. ETA for new version of calling end of March.
Edit: Clarified what's coming end of March.
Clients that went out this week re-enabled the CBR feature in the options.