Re: [appsdir] Fwd: Request for Apps Directorate review of rtcweb-security drafts

"Orit Levin (LCA)" <> Tue, 14 July 2015 18:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D20D71AD2EE for <>; Tue, 14 Jul 2015 11:07:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gpQ9d5ZJPvAj for <>; Tue, 14 Jul 2015 11:07:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B2FDA1AD357 for <>; Tue, 14 Jul 2015 11:07:13 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 14 Jul 2015 18:07:12 +0000
Received: from ([]) by ([]) with mapi id 15.01.0207.004; Tue, 14 Jul 2015 18:07:11 +0000
From: "Orit Levin (LCA)" <>
To: Eliot Lear <>, "" <>
Thread-Topic: [appsdir] Fwd: Request for Apps Directorate review of rtcweb-security drafts
Thread-Index: AQHQr4DcT2qcK6DgvkiqLOtwc4J9zZ29oujwgBRIQaA=
Date: Tue, 14 Jul 2015 18:07:11 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BL2PR03MB292; 5:m42Kt6NxxA3Qx6D255lLIedqD7dlHEDi1bmlcY9uJO6zyveE9xriJzGXO9LVacY3eZLUI6uoBFrZbPcBRdfSOsm4vbWzps24v2Rxw14BuClyAssflVLKqlftWM2CZO0hzwqsM27bq3Q/ONfVmGVfTg==; 24:ALWZ1mont3OtDpCGYz6OCNQ1iT1j5Pe5VWS8YkkOV59x/Dilo3uj3LbnB5slf40V3N5UMDm/aEQltdhbTpel48wREobZ3cjCqU5UupP9GPQ=; 20:403E/pjC6aDYnEpRtn51NGPhqFOkQyDJPftZhI0qqKO2niyERFpRY9Q+Tzd3Ils7DkOHLB0oX0HFNHOG3Oz06Q==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB292;
bl2pr03mb292: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BL2PR03MB292; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB292;
x-forefront-prvs: 0637FCE711
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(479174004)(164054003)(51704005)(13464003)(2473001)(377454003)(24454002)(2501003)(106116001)(33656002)(2656002)(99286002)(5003600100002)(5001770100001)(86362001)(74316001)(76576001)(92566002)(87936001)(19580405001)(107886002)(50986999)(86612001)(66066001)(19580395003)(46102003)(77096005)(5001960100002)(102836002)(62966003)(40100003)(77156002)(5002640100001)(93886004)(2950100001)(189998001)(15975445007)(2900100001)(76176999)(54356999); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB292;; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2015 18:07:11.7075 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB292
Archived-At: <>
Subject: Re: [appsdir] Fwd: Request for Apps Directorate review of rtcweb-security drafts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Apps Area Review List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jul 2015 18:07:25 -0000

Disclaimer: I am familiar with RTC and WebRTC, but I haven't followed the RTCWeb work in the last few years. I read the two drafts for the first time.
Therefore, my apologies for potentially raising points that have been discussed in the past. 

>From the APP (or ART) review perspective, my main comment is on the topic of "Web-Based Peer Authentication". While it is not clear from the text, which parts are already standardized concepts (e.g., by W3C) and which are introduced here for the first time, the described approach seems to be (1) useful to web applications beyond WebRTC, (2) under development and thus probably not stable, and (3) too detailed for "an architecture" document.  As such, the concept of " Web-Based Peer Authentication" probably needs to be introduced and standardized under the Security Area and then adopted by WebRTC and other apps.
This document contains an excellent collection of security threats to WebRTC and discusses many different ideas for their potential mitigation. That being said, it is not an easy read. Specifically, from high level to more specific:
1. The intended status of the document is Standards Track, while a typical status of a "security threat model" RFC is Informational. This discrepancy probably lies in the current scope of the document. See the next comment below.
2. The scope of the document is not clear. In addition to describing the security threats (and the requirements or user expectations related to their prevention), in many places the document lists potential solutions with their perceived limitations and/or applicability. Examples are sections: 4.2.1, 4.2.2, 4.2.3, 4.2.4,,, To improve the document's readability and reduce overlaps,  the solutions should be introduced and explained in the companion "architecture" document. Solutions' applicability to different use cases needs to be provided in a non-bias way.
3. Apart from the brief Introduction with a few examples, there is no description of the WebRTC threat model putting all main types of threat in one place. For example, the "Communications Security" aspect is introduced for the first time in Section 4.3 only. The start of Section "4. Security for WebRTC Applications" could be a logical place for introducing the WebRTC threat model.
4. The "simple WebRTC system" presented in the Introduction in Figure 1 is inadequate to illustrate many of the scenarios and points discussed in the document. For example, see the discussion around media origin vs. web origin in Section 4.1.3.
5. Section "3. The Browser Threat Model" is an overview of the existing web security architecture and some current practices. As such, references to relevant standards (e.g., W3C) and common practices need to be added within the text to help the reader to understand the status of the information and to follow the sources.
6. The last paragraph in Section 4.1 conveys a key point in the whole WebRTC threat model. As such,  it needs to be moved to the start of the discussion where the threat model is introduced (see comments above).
7. Stylistically, the document would benefit from removing non-standards vocabulary, i.e., "to bug", "to bug me", "no real way", "it is important to require", "extremely aggressive intermediates",  and "for obvious reasons", etc.
8. Suggestions for renaming some of the sections to improve readability:
"3. The Browser Threat Model" -> " 3. Overview of the Existing Web Threat Model"
"4.1. Access to Local Devices" -> "4.1. Consent to Access Local Resources"
"4.1.2. Calling Scenarios and User Expectations" -> "4.1.2. Scope of Consent in Various Calling Scenarios"
" Dedicated Calling Services" -> " Long-term Consent"
" Calling the site You're On" -> " Short-term Consent"
"4.1.3. Origin-Based Security" -> "4.1.3. Web Attackers and Origin-based Security"
"4.1.4. Security Properties of the Calling Page" -> "4.1.4. Network Attackers and  Security Properties of the Calling Page"
"4.2. Communications Consent Verification" -> "4.2. Consent to Receive Traffic"
"4.3.3. Malicious Peers" -> "4.3.3. Out of Scope"
This document is in a much better state in terms of its organization and readability. It introduces the security architecture using an example and then lists possible approaches to implement it. Some approaches are described on a high level by referencing other documents, while others are introduced for the first time in this document together with their implementation details. By just reading the document, it is difficult to judge whether these details are sufficient or stable enough for implementation. In general, I doubt that this is the best approach for an "architecture" document, which is supposed to serve as a long term stable reference.
More specific comments:
1. Different terminology is used throughout the document to address same or close concepts. It would help a lot to explain the concepts upfront and then to use the terminology consistently. Currently it includes "client", "endpoint",  "peer", "user"; "implementation", "browser", "chrome", "API", "JS"; "application", "server", etc.
2. The discussion is phrased in terms of "authentication" and "trust". In think that "authorization" instead of "trust" would be a better technical term, for example, in Section 3.1.
3. In section 4. Overview, sentence "the tension between security (or performance) and privacy" is not clear, especially because it doesn't seem to correspond to Section 6.2. (BTW "tradeoff" would be a better word than "tension".)
4. Section "4.1. Initial Signaling", the text is inconsistent in terms of whether Alice and Bob share or use different identity providers.
5. Section "4.1. Initial Signaling", reference to PeerConnection needs to be added.
6. Section "4.2. Media Consent Verification" and Section "5.3 Communications Consent": the name/terminology of this functionality needs to be harmonized. The ICE-based solution with its pros, cons as well as the alternatives (applicable to different use cases) need to be moved from the companion threat model document to this "architecture" one.
7. A suggestion: rename "5. Detailed Technical Description" to "5. Security Architecture Components".
8. In Section 5.2., "Implementations which support some form of direct user authentication..." -> "Implementations that support some form of direct user authentication..."
9. Section "5.6. Web-Based Peer Authentication" and section "5.6.2. Overview of operation": It is not clear, which parts are standardized concepts (e.g., by W3C) and which are introduced here for the first time. If exist, references to existing standards need to be added. The described architecture and the technical details seem to be (1) under development and thus probably not stable, (2) too detailed for "an architecture" document and (3) useful beyond WebRTC.  As such, the concept of the " Web-Based Peer Authentication" probably needs be introduced under the Security Area and then adopted by WebRTC.
10. The web-based peer authentication using IdP is not the only mechanism applicable to WebRTC. Moreover, the web-based peer authentication  is not the only approach applicable to WebRTC. Alternatives are listed in the companion document and need to be moved here to the "architecture" document with their pros and cons presented in an unbiased way.
11. Stylistically, the document would benefit from removing non-standards vocabulary, i.e., "some Web server", "can't really trust", "that much", "fairly conventional", "simply have", "a little anticlimactic", etc. ;-)


> -----Original Message-----
> From: appsdir [] On Behalf Of Orit Levin
> (LCA)
> Sent: Thursday, June 25, 2015 1:17 PM
> To: Eliot Lear;
> Subject: Re: [appsdir] Fwd: Request for Apps Directorate review of rtcweb-
> security drafts
> Perfect! I have a very long flight on the 7th... So right after then or earlier.
> Orit.
> > -----Original Message-----
> > From: Eliot Lear []
> > Sent: Thursday, June 25, 2015 12:55 PM
> > To: Orit Levin (LCA);
> > Subject: Re: [appsdir] Fwd: Request for Apps Directorate review of rtcweb-
> > security drafts
> >
> > Thank you Orit!  Can you try to have them done in about two weeks?
> >
> > Eliot
> >
> > On 6/25/15 9:52 PM, Orit Levin (LCA) wrote:
> > > I will be happy to take a look at them!
> > > Orit.
> > >
> > >> -----Original Message-----
> > >> From: appsdir [] On Behalf Of Eliot
> Lear
> > >> Sent: Thursday, June 25, 2015 11:44 AM
> > >> To:
> > >> Subject: [appsdir] Fwd: Request for Apps Directorate review of rtcweb-
> > >> security drafts
> > >>
> > >> Dear Appsdir folk,
> > >>
> > >> Could I have a volunteer to review the following two drafts?
> > >>
> > >>
> > >>
> > >> and
> > >>
> > >>
> > >>
> > >> Ted is exempt, having made the request ;-)
> > >>
> > >> Eliot
> >
> _______________________________________________
> appsdir mailing list