I can see where a FQDN candidate is no biggie in a browser's offer/answer since DNS lookups occur all the time. But I imagine the simple fix for Signal's WebRTC use, since they control both sides of the exchange, is to just disregard non-IP candidates. Or even better, don't do anything with the candidates until the call is accepted. Worst case, could just have a geographically centralized signaling server (or shared IP). Granted, since Signal controls both sides, might as well only serve fixed "host" candidates and disallow any offer/answer with custom crafted ones.
One also wonders, to prevent other forms of leaks, if Signal can make a blanket policy to prevent DNS lookups or in general get tighter control on outbound network.
Disregarding non-IP candidates is exactly what we've chosen to do (and which the new versions of the app do).
The downside of disregarding all candidates until the call is accepted is that post-accept connectivity would be much slower.
Going through a server to hide your IP is an option in the settings in the app, but it can potentially lead to higher call latency, so there is a trade-off.
To prevent issues like this in the future we are taking more control of WebRTC's behavior with a fork of WebRTC (Signal uses WebRTC) and are providing patches to upstream WebRTC as well.
>> “ PINs will also help facilitate new features like addressing that isn’t based exclusively on phone numbers, since the system address book will no longer be a viable way to maintain your network of contacts.” [1]
Any idea when more information might be available on this? Asked moxie years ago to add this and know 100s of other have too.
Worth noting the FAQ as it relates to the PIN length is not correct, “How long can my PIN be? There is no limit. Feel free to add as many characters as you want.” [2] ...tested it and longest PIN I was able to create was 20 characters all numeric.
One also wonders, to prevent other forms of leaks, if Signal can make a blanket policy to prevent DNS lookups or in general get tighter control on outbound network.