[rtcweb] Comments on draft-ietf-rtcweb-security-06

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 20 February 2014 16:05 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 839171A01EF for <rtcweb@ietfa.amsl.com>; Thu, 20 Feb 2014 08:05:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xgpR2fFdQcZj for <rtcweb@ietfa.amsl.com>; Thu, 20 Feb 2014 08:05:36 -0800 (PST)
Received: from sesbmg20.ericsson.net (sesbmg20.ericsson.net []) by ietfa.amsl.com (Postfix) with ESMTP id C990A1A01E3 for <rtcweb@ietf.org>; Thu, 20 Feb 2014 08:05:35 -0800 (PST)
X-AuditID: c1b4fb38-b7f418e000001099-44-530627cbfa91
Received: from ESESSHC002.ericsson.se (Unknown_Domain []) by sesbmg20.ericsson.net (Symantec Mail Security) with SMTP id 26.1E.04249.BC726035; Thu, 20 Feb 2014 17:05:31 +0100 (CET)
Received: from [] ( by smtp.internal.ericsson.com ( with Microsoft SMTP Server id 14.2.347.0; Thu, 20 Feb 2014 17:05:30 +0100
Message-ID: <530627C7.30906@ericsson.com>
Date: Thu, 20 Feb 2014 17:05:27 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "rtcweb@ietf.org" <rtcweb@ietf.org>, EKR <ekr@rtfm.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLJMWRmVeSWpSXmKPExsUyM+Jvje5pdbZgg0NzJCxWvD7HbrH2Xzu7 A5PHkiU/mTwmP25jDmCK4rJJSc3JLEst0rdL4Mq49WwSU8FM6YqzD+ayNTC+Fe1i5OSQEDCR uNCxkBXCFpO4cG89WxcjF4eQwBFGibutXcwQznJGiXtvPzKCVPEKaEr0f/nPAmKzCKhKLLj6 GaybTcBC4uaPRjYQW1QgWGLngd9Q9YISJ2c+AasXEbCWuLnsMViNsICRxLquVvYuRg6gzeIS PY1BIGFmAT2JKVdbGCFseYnmrbOZQWwhAW2JhqYO1gmM/LOQTJ2FpGUWkpYFjMyrGDmKU4uT ctONDDYxAoPs4JbfFjsYL/+1OcQozcGiJM778a1zkJBAemJJanZqakFqUXxRaU5q8SFGJg5O qQbGfQtK09pSz6cqbFdgPfvsk1LEtenbpDOmV53junFf4fOaPkv+nXu8xFsvm8/XYjrKvFyd M76fgdVQd3eOuCAfb3FO5fvNVc5HQsXXHoq2/xRiL+l2btXR/JbCd1f2HaxqeTqZ0SL29/1O oZqghr/6B/Lef+1YOjVJ78j21W6Nm24ms0w0XpmtxFKckWioxVxUnAgAtLhH2AACAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/3e1BBrsJXzHz9BZhgeTqyAstUqo
Subject: [rtcweb] Comments on draft-ietf-rtcweb-security-06
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2014 16:05:38 -0000


I have reviewed Security Considerations for WebRTC
(draft-ietf-rtcweb-security-06) and have some comments.

1. Section 4.2.1:

I noted this:
   There also needs to be some mechanism for the browser to verify that
   the target of the traffic continues to wish to receive it.  Because
   ICE keepalives are indications, they will not work here, so some
   other mechanism is needed as described in

Not that the current information is wrong, except that the reference
should be to the WG version of the draft. However, this I think is the
only part of the document I found which prevents another WG last call on
this document, due to the open issue regarding method of communication
consent refresh.

2. Section 4.2.2.:

First sentence duplicated.

3. Section 4.2.2:

When I read this section, my immediate question was, doesn't RTP need
corresponding protection. To my understanding, the answer would be yes,
but it is more difficult to inject data and get a certain plaintext even
without the SRTP encryption scrambling the payload part. Still, that
assumes that an JS application, can write the payload data itself.
Secondly, it does assume that one MUST use encryption in SRTP.

Thus, I wonder if it is worth spending a paragraph confirming the need,
although reduced for masking also of RTP content, and that the same
requirement exist for RTP.

4. Section
   Once uses have checked the SAS once, key continuity is required to
   avoid them needing to check it on every call.

I believe "uses" in above sentence should be "the user"?

5. Section 6.

Please correct my last name.

6. General:

I think the difficulty with this document is to determine if is missing
something? It is providing the high level system security issues. Have
we caught all relevant ones? I think we need a lot of eyes to check for
that. And that requires thought and not being restricted by the document.

I think a potential issue that isn't discussed in this document is the
security threat of driving data volumes into a network beyond ones
"fair" share. This would simply be to illustrate that communication
consent is not sufficient, to protect other users of a shared network
the WebRTC endpoint MUST prevent transmission of data volumes far
outside of the fair share.

7. General:

I noticed that some of the other WG documents may think they have
outsourced their security consideration to this document. I want to
bring this up as a general question and ensure that we have WG agreement
on this.

This document discusses general system security considerations to ensure
that the whole thing we put together achieve security. Each component of
the solution will have to discuss security considerations details around
their components.

As we plan to WG last call this document as soon as possible, we are
running out of time to lift any security issues to this level.


Magnus Westerlund

Services, Media and Network features, Ericsson Research EAB/TXM
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com