Re: [rtcweb] Which servers to trust (Re: Consensus call regarding media security)
Iñaki Baz Castillo <ibc@aliax.net> Tue, 03 April 2012 11:55 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C65FB21F875A for <rtcweb@ietfa.amsl.com>; Tue, 3 Apr 2012 04:55:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wg8s9AUoPV25 for <rtcweb@ietfa.amsl.com>; Tue, 3 Apr 2012 04:55:59 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0A57221F8759 for <rtcweb@ietf.org>; Tue, 3 Apr 2012 04:55:58 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so2761255vbb.31 for <rtcweb@ietf.org>; Tue, 03 Apr 2012 04:55:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=eagaw3gz14m4sACeCfh6QcJmr7NY2rUIcWnxeE9OFrQ=; b=E0IOOQ28H4XK2GCJWRtUEoe9OhLKe2aw58sjet3w+qe91yshZRrXVGdfHSDrU2yYMX 7j/XBliTCPktftP6w2A6vxTT1SVceeWYpTIc//1iVki6Vpio/mlRlpNa5KbmUqx/zjjZ QQskthj35gKJkD+8aKeDOo8OTfDceNMwg3kR6LmrRh/6JnLwev2wGHs7vWUX6jl3JpNl Xucr9CEBq+hWtE9K9QPiOK8Kl9OEKmbUK1gtVXIMuH8UNHnA4LZWLzCjl3ePmqNjvn1d z+0JKrrfuNY7FrTclsIibCPSmaiKwWWluIf5BaA0vkuUGSaFvACHmIOEWybHDZPpFa57 uZ1A==
Received: by 10.52.27.1 with SMTP id p1mr5505322vdg.17.1333454158494; Tue, 03 Apr 2012 04:55:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.170.165 with HTTP; Tue, 3 Apr 2012 04:55:38 -0700 (PDT)
In-Reply-To: <4F7ACC96.90206@alvestrand.no>
References: <4F732531.2030208@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E221877@inba-mail01.sonusnet.com> <4F749C82.4070305@infosecurity.ch> <4F7ACC96.90206@alvestrand.no>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Tue, 03 Apr 2012 13:55:38 +0200
Message-ID: <CALiegf=jJ6SfQhbxPXKdDDKqp7bOrpRNVE=RfBs8Ah8zqy9ftQ@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQn1vKWCCEgGdFzxtKnr/wZ0dBjTd3X4++XuBUI7r5fMXjbPFYKwOj4fhBOOMP2K/HFzlStE
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Which servers to trust (Re: Consensus call regarding media security)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 11:55:59 -0000
2012/4/3 Harald Alvestrand <harald@alvestrand.no>: >> SDES-SRTP provide a very reliable and simple way to let a WebRTC peer to >> establish security with the server, assuming that it already have >> established security trough HTTPS/TLS that's a consolidate trust method. > > The term "the server" is a fallacy. The Web server and the media gateway (if > there is one) are likely not the same server, and may even be operated by > different entities. > SDES-SRTP forces you to trust both. If you trust the Web server (i.e. due to HTTPS usage with a valid server certificate) then you will also trust that the Web server will not signal your WebRTC communication to a malicious destination, am I wrong? Don't take me wrong but, which kind of security obsession are we trying to satisfy in rtcweb? a media communication is not more important than a web access to my back website in which I enter my credit card PIN. Does IETF define "security standards" for POS ("Point of sale terminal") for making a bank payment via a 3rd web (e-commerce)? AFAIK not. If the Web server (assuming HTTPS) is trusted and SDES-SRTP used, we should trust the communication. If it fails that is because the Web server has been attacked. If that occurs, it's really worse the case in which my bank website has been attacked (I'm giving my credit card PIN to the attacker). Regards. -- Iñaki Baz Castillo <ibc@aliax.net>
- [rtcweb] Consensus call regarding media security Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Igor Faynberg
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Kevin P. Fleming
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Timothy B. Terriberry
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… jesse
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- [rtcweb] Which servers to trust (Re: Consensus ca… Harald Alvestrand
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Randell Jesup
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla