Re: [MMUSIC] Handling of unverified data and media

Eric Rescorla <ekr@rtfm.com> Sat, 11 March 2017 00:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCE8129436 for <mmusic@ietfa.amsl.com>; Fri, 10 Mar 2017 16:57:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MypsMrlytfDy for <mmusic@ietfa.amsl.com>; Fri, 10 Mar 2017 16:57:20 -0800 (PST)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D7161289C4 for <mmusic@ietf.org>; Fri, 10 Mar 2017 16:57:20 -0800 (PST)
Received: by mail-yw0-x22f.google.com with SMTP id p77so33809369ywg.1 for <mmusic@ietf.org>; Fri, 10 Mar 2017 16:57:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wILVOjxFeM0F6d80fMowP3v/ynXwOd/bKQvntsWWOwo=; b=uczFv8KAexKKX6MFlu0PpSOuGQqPnCQZf9irLftVWTk9Ft2qWxGjf6li8+Q25Tchve Vaz8oHppO+8HCkGfla7O2ZRenGpcl5EGxo30VJ+sooiISkW3bi5gg7hIvnVMjapuAD49 q8TGWcIZ14gxw1tmH0jiENOtTvsYJv9CQKDLxOo1WDHTdIq5emSm9Nsfa4JiJed1ax6z Rt+/UyDWp7X4MfCwoGg6PZRnWIF7HpKz0v83j7UAvO/zxzt1VrqxZeITrFCxeZWzfXui pPv5GWq3TTctBTlbTRU0ToU3upgH4fn9L4As1nHkNcO1AloKcGIGxcdHMtPwkqRFNFKd yeYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wILVOjxFeM0F6d80fMowP3v/ynXwOd/bKQvntsWWOwo=; b=tfHsjgbQ6SlC1zqddWoTk+qucYO5g5ERCCkHDhb0cKFjBlz3qMA+GyXi9fECcg/lhq ABGUYhzlB7HblYM09KyaiTFsTpov768TiNlzNgjGJuk8p/FzntpUUp/ZcvjJdN1jISgj 6Fcsn28dEAfutg4UwALFN+TxUuJXrwdkKkUD1DUEnJAT3/FnKV4BjK82NSDuIt4+68S8 owmBkYVHFMSqs13fRt4CZIVIEuCbUxUNt2DzWLQVC/srcG8f37C4WlNn/wxrJC3yBJH+ UUvikHzpG4udbL8oYEtv4+T8ZMu3kwzbd1KpSZQAeNnTS79+kjpD/6eo/6zaH4qGPFny ToUA==
X-Gm-Message-State: AMke39nJUrfpBg7luU6u9C7VXSITXhS0qxpzy883M6F37WSP4wiHGcBk7J/l5NAPxLxo1oya13z+6DMFy6iHpA==
X-Received: by 10.129.125.5 with SMTP id y5mr9563023ywc.120.1489193839505; Fri, 10 Mar 2017 16:57:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Fri, 10 Mar 2017 16:56:38 -0800 (PST)
In-Reply-To: <CAOW+2due+uNyWn-3GQnpXrR-L55XVZSXXRmC0E9-5BSGKynUYA@mail.gmail.com>
References: <CAOW+2dseq8AmLKXFGUaiss8ahpkY1ZzYUD_KdirFE1rskfvqjw@mail.gmail.com> <CABkgnnUc-XsYivUzSs6W4it_Krykr-reJMDJXqKf5FvGw_NBPg@mail.gmail.com> <CAD5OKxvXTsTPaKFNdwS6tPBTAksD=jgiAFGuGMgbepOtBoFT+Q@mail.gmail.com> <CABcZeBO9MP0fqg=ubpgU8+3L9koB5grCyp-O8hS9Pis942-rhA@mail.gmail.com> <CAOW+2due+uNyWn-3GQnpXrR-L55XVZSXXRmC0E9-5BSGKynUYA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 10 Mar 2017 16:56:38 -0800
Message-ID: <CABcZeBPr4OjUBSUdS3wWmUuRJh7XmgxfVaY1F15mjMAqjbTZRg@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
Content-Type: multipart/alternative; boundary=001a11493644ce54aa054a69f5b6
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/64yy8PDkSSRToqgBs3bi-Z6YXx4>
Cc: Flemming Andreasen <fandreas@cisco.com>, "hta@google.com" <hta@google.com>, mmusic WG <mmusic@ietf.org>
Subject: Re: [MMUSIC] Handling of unverified data and media
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2017 00:57:22 -0000

Sorry, no, I was just talking about what might or might not be safe.... The
doc text is
a different question.

-Ekr


On Fri, Mar 10, 2017 at 4:05 PM, Bernard Aboba <bernard.aboba@gmail.com>
wrote:

> EKR said:
>
> "I haven't spent too much time on it, but it seems like it ought to be
> safe to hold
> anything you receive prior to getting the fingerprint. It might be better,
> as MT
> suggests, to discard the datachannel data, but I'm not sure why it would be
> necessary."
>
> [BA] So you are saying that the MUST NOT allows the browser to buffer
> data/media but not to pass it to the application (in the case of the data
> channel) or to play it out?
>
> On Fri, Mar 10, 2017 at 4:01 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> I haven't spent too much time on it, but it seems like it ought to be
>> safe to hold
>> anything you receive prior to getting the fingerprint. It might be
>> better, as MT
>> suggests, to discard the datachannel data, but I'm not sure why it would
>> be
>> necessary.
>>
>> -Ekr
>>
>> On Fri, Mar 10, 2017 at 2:47 PM, Roman Shpount <roman@telurix.com> wrote:
>>
>>> My assumption always was that data is received, decoded and discarded
>>> until fingerprint is received and verified. This way DTLS handshake
>>> completes, key frames are decoded, but user is nor presented with any
>>> unverified media.
>>>
>>> Regards,
>>>
>>> _____________
>>> Roman Shpount
>>>
>>> On Thu, Mar 9, 2017 at 6:58 PM, Martin Thomson <martin.thomson@gmail.com
>>> > wrote:
>>>
>>>> I think that the data channel question is easy, anything other than a
>>>> "no" is not acceptable.  Data in that form enters the security
>>>> boundary for an origin and it doesn't make any sense to risk attack
>>>> there.  (It's also likely unnecessary, if a half a round trip of
>>>> signaling is slower than 5 round trips on the media path, then
>>>> something is messed up.)
>>>>
>>>> I'm in two minds about the media part. For media, you could also
>>>> reasonably make the same origin-purity argument.  I'm inclined to say
>>>> that.  But we CAN isolate media from the origin (and we definitely
>>>> should if we allow this).
>>>>
>>>> So, the media that arrives had to comply with your offer.  The DTLS
>>>> handshake also has to complete, which tells the receiver whether the
>>>> media needs to be confidential or not (at which point you can disable
>>>> this feature).
>>>>
>>>> It's also possible that a receiver can require that an ICE
>>>> connectivity check was made (though this is inbound only, and I'm
>>>> unclear on whether having received an inbound check would normally
>>>> prevent the receiver from accepting a packet).
>>>>
>>>> All told, that's a lot of information about the negotiated session for
>>>> an attacker to have.  The odds of this being an attack would *seem* to
>>>> be low.
>>>>
>>>> On the other hand, we don't assume confidentiality of signaling; the
>>>> security model assumes that all this information is effectively public
>>>> and the protection we have against attack is the certificate
>>>> fingerprint.  This would remove that protection, albeit for a short
>>>> duration.
>>>>
>>>> I have an extra question: does anyone plan to implement this?  It's
>>>> non-trivial.  I think that I know what I'd need to do in Firefox and
>>>> it would be quite disruptive.  Before committing to do that work
>>>> (which I will leave to others closer to this to decide), I'd probably
>>>> want more information on the actual advantage that it provides.
>>>>
>>>> On 10 March 2017 at 07:10, Bernard Aboba <bernard.aboba@gmail.com>
>>>> wrote:
>>>> > In the W3C WEBRTC WG, an issue has been submitted relating to playout
>>>> of
>>>> > unverified media:
>>>> > https://github.com/w3c/webrtc-pc/issues/849
>>>> >
>>>> > It has been suggested that if the browser is configured to do so, that
>>>> > playout be allowed for a limited period (e.g. 5 seconds) prior to
>>>> > fingerprint verification:
>>>> > https://github.com/w3c/webrtc-pc/pull/1026
>>>> >
>>>> > Section 6.2 of draft-ietf-mmusic-4572-update-13 contains the
>>>> following text,
>>>> > carried over from RFC 4572:
>>>> >
>>>> >    Note that when the offer/answer model is being used, it is possible
>>>> >    for a media connection to outrace the answer back to the offerer.
>>>> >    Thus, if the offerer has offered a 'setup:passive' or
>>>> 'setup:actpass'
>>>> >    role, it MUST (as specified in RFC 4145 [7]) begin listening for an
>>>> >    incoming connection as soon as it sends its offer.  However, it
>>>> MUST
>>>> >    NOT assume that the data transmitted over the TLS connection is
>>>> valid
>>>> >    until it has received a matching fingerprint in an SDP answer.  If
>>>> >    the fingerprint, once it arrives, does not match the client's
>>>> >    certificate, the server endpoint MUST terminate the media
>>>> connection
>>>> >    with a bad_certificate error, as stated in the previous paragraph.
>>>> >
>>>> > Given the outstanding issue relating to handling of unverified media,
>>>> the
>>>> > Chairs of the W3C WEBRTC WG would like to request clarification from
>>>> the
>>>> > IETF MMUSIC WG as to the meaning of the "MUST NOT" in the above
>>>> paragraph.
>>>> > In particular, what is it permitted for an implementation to do with
>>>> > received data and media prior to verification? For example:
>>>> >
>>>> >      1. May data received over the data channel be provided to the
>>>> > application prior to verification?
>>>> >          a. If the answer to the above is "no", may unverified
>>>> received data
>>>> > be delivered by the DTLS transport to SCTP, which may buffer it?
>>>> >      2. May received media be played out prior to verification?
>>>> >
>>>> > Bernard Aboba
>>>> > On behalf of the W3C WEBRTC WG
>>>> >
>>>> > _______________________________________________
>>>> > mmusic mailing list
>>>> > mmusic@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/mmusic
>>>> >
>>>>
>>>> _______________________________________________
>>>> mmusic mailing list
>>>> mmusic@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/mmusic
>>>>
>>>
>>>
>>> _______________________________________________
>>> mmusic mailing list
>>> mmusic@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mmusic
>>>
>>>
>>
>> _______________________________________________
>> mmusic mailing list
>> mmusic@ietf.org
>> https://www.ietf.org/mailman/listinfo/mmusic
>>
>>
>