Re: [MMUSIC] Handling of unverified data and media

Bernard Aboba <bernard.aboba@gmail.com> Sat, 11 March 2017 00:06 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D8D3129495 for <mmusic@ietfa.amsl.com>; Fri, 10 Mar 2017 16:06:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xX5x26x9-tNC for <mmusic@ietfa.amsl.com>; Fri, 10 Mar 2017 16:06:13 -0800 (PST)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE35812948A for <mmusic@ietf.org>; Fri, 10 Mar 2017 16:06:12 -0800 (PST)
Received: by mail-ua0-x22d.google.com with SMTP id q7so113593610uaf.2 for <mmusic@ietf.org>; Fri, 10 Mar 2017 16:06:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0cwNJPXqY132sJ+Ktm9daPcPO3EvVcAk+u8RmloQtVw=; b=RjY9UAiR1t3wQtt2zSSOQsxCz1PzeKq2FpvSM+GOns3wRWsYwe9yQUAtNtZUPiSl3d ngu18YcQ23aRu35VvtKldPoxBmZaF3+oUMd2HQWCRM+XhQZTJxxnBAUUWOyioSPKRWQN 8A3xJ1UvfwCoYw8nKAxBN5Iea4FYFL1uos8wmgzGrAZEzZstUVpv5b9T1c5BuTr3JCoU brzQpf9hjiFsLXknSl7XSzUbWC/s7KH2SUhIY7kI2/dt0BSextT0w0Otes1JAg/sXTgf n8m2HjEVl/BuoV+/9end56gt8Iz6VW8U/WiZRRdvrTU0WZErriM7bzjGP4wJ0BuERUB0 0/5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0cwNJPXqY132sJ+Ktm9daPcPO3EvVcAk+u8RmloQtVw=; b=KHIP9kGyQSEs2CcX3QO797/j2a6elrXEs1JLKOonZBG4PGS9xTvBssytCvhNcw5mCQ VQVh88Pdm9xbkPq6et3PSDa8O1wIcW+32TP7phZ//Gan1b8D/TwhdSj4doHHWi/RD34u GwyQC7jF/cvufdUnfIFydf3B1RBJDZVqF6vAuoaimDmxx30NQ8T3/Qaj8OqROvHWd9x3 AHj1e6omjvy7xkZmgffqd3L1cY2x8ev64+8gnisNdgOWvmQJJLIi155ObutR+xdoIa8e s3kTxhmtq8DUcvrswIML5t1OQYPQuiiYHzAYDtZXt0dP40OgSOBixWEWegBcta4QYjJ2 +Dcw==
X-Gm-Message-State: AMke39lQ4sut7AnfgDHymGE6n67wClHxTEDP+tpJ0MJi7TwP8U8DfIbARPSwl74uUS7npeeO8YbGhk+J5FHzBA==
X-Received: by 10.176.5.136 with SMTP id e8mr11217783uae.108.1489190771648; Fri, 10 Mar 2017 16:06:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.88.90 with HTTP; Fri, 10 Mar 2017 16:05:51 -0800 (PST)
In-Reply-To: <CABcZeBO9MP0fqg=ubpgU8+3L9koB5grCyp-O8hS9Pis942-rhA@mail.gmail.com>
References: <CAOW+2dseq8AmLKXFGUaiss8ahpkY1ZzYUD_KdirFE1rskfvqjw@mail.gmail.com> <CABkgnnUc-XsYivUzSs6W4it_Krykr-reJMDJXqKf5FvGw_NBPg@mail.gmail.com> <CAD5OKxvXTsTPaKFNdwS6tPBTAksD=jgiAFGuGMgbepOtBoFT+Q@mail.gmail.com> <CABcZeBO9MP0fqg=ubpgU8+3L9koB5grCyp-O8hS9Pis942-rhA@mail.gmail.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Fri, 10 Mar 2017 16:05:51 -0800
Message-ID: <CAOW+2due+uNyWn-3GQnpXrR-L55XVZSXXRmC0E9-5BSGKynUYA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary=94eb2c124874f2751f054a693eca
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/0cj_1rPnPq8xrim80xF0kWHfrBw>
Cc: Flemming Andreasen <fandreas@cisco.com>, "hta@google.com" <hta@google.com>, mmusic WG <mmusic@ietf.org>
Subject: Re: [MMUSIC] Handling of unverified data and media
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 00:06:15 -0000

EKR said:

"I haven't spent too much time on it, but it seems like it ought to be safe
to hold
anything you receive prior to getting the fingerprint. It might be better,
as MT
suggests, to discard the datachannel data, but I'm not sure why it would be
necessary."

[BA] So you are saying that the MUST NOT allows the browser to buffer
data/media but not to pass it to the application (in the case of the data
channel) or to play it out?

On Fri, Mar 10, 2017 at 4:01 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> I haven't spent too much time on it, but it seems like it ought to be safe
> to hold
> anything you receive prior to getting the fingerprint. It might be better,
> as MT
> suggests, to discard the datachannel data, but I'm not sure why it would be
> necessary.
>
> -Ekr
>
> On Fri, Mar 10, 2017 at 2:47 PM, Roman Shpount <roman@telurix.com> wrote:
>
>> My assumption always was that data is received, decoded and discarded
>> until fingerprint is received and verified. This way DTLS handshake
>> completes, key frames are decoded, but user is nor presented with any
>> unverified media.
>>
>> Regards,
>>
>> _____________
>> Roman Shpount
>>
>> On Thu, Mar 9, 2017 at 6:58 PM, Martin Thomson <martin.thomson@gmail.com>
>> wrote:
>>
>>> I think that the data channel question is easy, anything other than a
>>> "no" is not acceptable.  Data in that form enters the security
>>> boundary for an origin and it doesn't make any sense to risk attack
>>> there.  (It's also likely unnecessary, if a half a round trip of
>>> signaling is slower than 5 round trips on the media path, then
>>> something is messed up.)
>>>
>>> I'm in two minds about the media part. For media, you could also
>>> reasonably make the same origin-purity argument.  I'm inclined to say
>>> that.  But we CAN isolate media from the origin (and we definitely
>>> should if we allow this).
>>>
>>> So, the media that arrives had to comply with your offer.  The DTLS
>>> handshake also has to complete, which tells the receiver whether the
>>> media needs to be confidential or not (at which point you can disable
>>> this feature).
>>>
>>> It's also possible that a receiver can require that an ICE
>>> connectivity check was made (though this is inbound only, and I'm
>>> unclear on whether having received an inbound check would normally
>>> prevent the receiver from accepting a packet).
>>>
>>> All told, that's a lot of information about the negotiated session for
>>> an attacker to have.  The odds of this being an attack would *seem* to
>>> be low.
>>>
>>> On the other hand, we don't assume confidentiality of signaling; the
>>> security model assumes that all this information is effectively public
>>> and the protection we have against attack is the certificate
>>> fingerprint.  This would remove that protection, albeit for a short
>>> duration.
>>>
>>> I have an extra question: does anyone plan to implement this?  It's
>>> non-trivial.  I think that I know what I'd need to do in Firefox and
>>> it would be quite disruptive.  Before committing to do that work
>>> (which I will leave to others closer to this to decide), I'd probably
>>> want more information on the actual advantage that it provides.
>>>
>>> On 10 March 2017 at 07:10, Bernard Aboba <bernard.aboba@gmail.com>
>>> wrote:
>>> > In the W3C WEBRTC WG, an issue has been submitted relating to playout
>>> of
>>> > unverified media:
>>> > https://github.com/w3c/webrtc-pc/issues/849
>>> >
>>> > It has been suggested that if the browser is configured to do so, that
>>> > playout be allowed for a limited period (e.g. 5 seconds) prior to
>>> > fingerprint verification:
>>> > https://github.com/w3c/webrtc-pc/pull/1026
>>> >
>>> > Section 6.2 of draft-ietf-mmusic-4572-update-13 contains the
>>> following text,
>>> > carried over from RFC 4572:
>>> >
>>> >    Note that when the offer/answer model is being used, it is possible
>>> >    for a media connection to outrace the answer back to the offerer.
>>> >    Thus, if the offerer has offered a 'setup:passive' or
>>> 'setup:actpass'
>>> >    role, it MUST (as specified in RFC 4145 [7]) begin listening for an
>>> >    incoming connection as soon as it sends its offer.  However, it MUST
>>> >    NOT assume that the data transmitted over the TLS connection is
>>> valid
>>> >    until it has received a matching fingerprint in an SDP answer.  If
>>> >    the fingerprint, once it arrives, does not match the client's
>>> >    certificate, the server endpoint MUST terminate the media connection
>>> >    with a bad_certificate error, as stated in the previous paragraph.
>>> >
>>> > Given the outstanding issue relating to handling of unverified media,
>>> the
>>> > Chairs of the W3C WEBRTC WG would like to request clarification from
>>> the
>>> > IETF MMUSIC WG as to the meaning of the "MUST NOT" in the above
>>> paragraph.
>>> > In particular, what is it permitted for an implementation to do with
>>> > received data and media prior to verification? For example:
>>> >
>>> >      1. May data received over the data channel be provided to the
>>> > application prior to verification?
>>> >          a. If the answer to the above is "no", may unverified
>>> received data
>>> > be delivered by the DTLS transport to SCTP, which may buffer it?
>>> >      2. May received media be played out prior to verification?
>>> >
>>> > Bernard Aboba
>>> > On behalf of the W3C WEBRTC WG
>>> >
>>> > _______________________________________________
>>> > mmusic mailing list
>>> > mmusic@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/mmusic
>>> >
>>>
>>> _______________________________________________
>>> mmusic mailing list
>>> mmusic@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mmusic
>>>
>>
>>
>> _______________________________________________
>> mmusic mailing list
>> mmusic@ietf.org
>> https://www.ietf.org/mailman/listinfo/mmusic
>>
>>
>
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic
>
>