Profile

Cover photo
Justin Uberti
Works at Google
Attended University of Virginia
3,712 followers|754,886 views
AboutPostsPhotosYouTubeReviews

Stream

Justin Uberti

Shared publicly  - 
 
UberConference adds WebRTC-based screen sharing. Nicely integrated, and shows that the extension-based approach to screen sharing isn't a significant hurdle for WebRTC developers.
 
"Chrome offers the best viewing experience." You bet!

Free Screen Sharing for Conference Calls
9
2
Brian Peterson's profile photogeorge oloo's profile photo
Add a comment...
 
Fuzz testing is supposed to prevent bugs like Heartbleed. Why didn't it work here? Well, the problem is that encryption is a natural protection against fuzzing. Any damage to the packets will cause them to be discarded by the outer protocol layers, namely TLS' authentication checks.

In a world where everything is encrypted, the fuzzer really needs to work on the data before the encryption stage. Then it can get past the outer defenses and pound on the rest of the code that we really want to test.

This is not just an issue for TLS - it has relevance to WebRTC too, where any malformed packets will get tossed by the SRTP or DTLS layers. Again, we can avoid this issue if the fuzzer can do its mutation of the data on the send side before it goes to the encryption layer. But this means the fuzzer needs to be completely rethought - rather than something that simply changes bits on the wire, it needs to be part of the actual client.

Something to consider adding as an option in Chrome.

http://en.wikipedia.org/wiki/Fuzz_testing
4
2
Serge Lachapelle's profile photoMark Foltz's profile photogeorge oloo's profile photoJustin Uberti's profile photo
3 comments
 
Fuzzing on an unencrypted session would be useful in many cases. The advantages of the client-fuzzer I describe are a) that you could fuzz packets inside the encryption machinery (e.g. heartbeats) and b) you could fuzz other webrtc endpoints without needing to specially configure them to accept cleartext traffic.
Add a comment...

Justin Uberti

Shared publicly  - 
 
Sunny Stockholm.
19
pamylao souvannasone's profile photoGustav Hållberg's profile photosameer ansari's profile photo
3 comments
 
Nice… that you can't tell how bloody cold it's been :)
Add a comment...

Justin Uberti

Shared publicly  - 
 
Chrome and Chrome for Android are not affected by Heartbleed.
 
How does this affect webrtc? 
12
1
Patrik Purchart's profile photoLisa Larson-Kelley's profile photoShachar Zohar's profile photoJustin Uberti's profile photo
4 comments
 
Chrome-Firefox is OK too, since Firefox uses NSS instead of OpenSSL. Chrome either uses NSS or a version of SSL with heartbeats compiled out.
Add a comment...

Justin Uberti

Shared publicly  - 
5
Add a comment...
Have him in circles
3,712 people

Justin Uberti

Shared publicly  - 
 
Great story on the history of AOL Instant Messenger, including interviews with a couple of the key folks who brought AIM to life. Defining quote from Eric Bosco, my old boss, on the tensions between the AIM (new) part of the company, and the AOL (old) part: "It was always AIM versus AOL. They hated us."

http://mashable.com/2014/04/15/aim-history/
In many ways, AOL Instant Messenger was right in line with the times, just at a company hanging on to a business model that would soon become obsolete.
11
4
Mickaël Rémond's profile photoRandell Jesup's profile photo
Add a comment...
 
Stockholm at night.
9
pamylao souvannasone's profile photo
 
Beautiful
Add a comment...
 
Heartbleed's root cause: forgetting to sanity-check all size values in the protocol. Otherwise known as "Rule #1 of network programming".

See for yourself at https://github.com/openssl/openssl/commit/4817504d069b4c5082161b02a22116ad75f822b1#diff-38dc72994741420e2b6c5ee074941a45R1480
13
2
george oloo's profile photoMichael McDonnell's profile photoDave Cridland's profile photoJustin Uberti's profile photo
4 comments
 
The real bug is the failure of the stack to barf when the length is invalid.

The reason a standard fuzzer didn't catch this is because the heartbeat is encrypted. Any damage to the packet will be discarded by the TLS encryption layer.

This raises a pretty interesting point, namely that fuzzing must be done at multiple levels, i.e. both in the plaintext and encrypted domains.
Add a comment...

Justin Uberti

Shared publicly  - 
 
Why action games use UDP for their networking. Also applicable to WebRTC.

http://1024monkeys.wordpress.com/2014/04/01/game-servers-udp-vs-tcp/
19
5
george oloo's profile photoRandell Jesup's profile photo
Add a comment...

Justin Uberti

Shared publicly  - 
 
Mayday isn't the first "stealth" WebRTC app out there. Some other notable deployments:
http://www.onsip.com/blog/2013/05/01/are-facebook-voip-calls-on-android-using-webrtc
- http://bloggeek.me/vonage-webrtc-interview/

If you're curious whether a mobile app is using WebRTC, it's pretty easy to do with Wireshark. Set your PC up to share its Internet connection over Wifi, and then connect your device to the PC wifi. Run Wireshark on the PC wifi connection, and all will be revealed...
10
4
george oloo's profile photoRandell Jesup's profile photo
Add a comment...
People
Have him in circles
3,712 people
Work
Occupation
Tech Lead, Google Real-time Communications
Employment
  • Google
    Tech Lead, 2006 - present
  • AOL
    Chief Architect, 1997 - 2006
  • IFusion Com
Basic Information
Gender
Male
Relationship
Married
Other names
juberti
Apps with Google+ Sign-in
Story
Tagline
Trained Professional
Bragging rights
Brief work history: Tech Lead for WebRTC, Google+ Hangouts, Gmail Call Phone, Google Video Chat, AOL Instant Messenger
Education
  • University of Virginia
    Mathematics, 1992 - 1995
They did a superb job fixing my iPad with a cracked screen. From unusable to good-as-new in a week. Price was very reasonable, and great customer service too - checked it over when I dropped it off, let me know what to expect, notified me when it was ready to pick up, super smooth transaction. I went to their Bellevue location, which is convenient but kind of tucked away in a nondescript office building.
Quality: ExcellentAppeal: Very goodService: Excellent
Public - a year ago
reviewed a year ago
1 review
Map
Map
Map