Re: [rtcweb] STUN for keep-alive - RTCP-less applications

Iñaki Baz Castillo <ibc@aliax.net> Sat, 24 September 2011 15:52 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A9D921F8551 for <rtcweb@ietfa.amsl.com>; Sat, 24 Sep 2011 08:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.641
X-Spam-Level:
X-Spam-Status: No, score=-2.641 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7wFsoQGbFoo for <rtcweb@ietfa.amsl.com>; Sat, 24 Sep 2011 08:52:06 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id C73A021F854D for <rtcweb@ietf.org>; Sat, 24 Sep 2011 08:52:06 -0700 (PDT)
Received: by vws5 with SMTP id 5so5410471vws.31 for <rtcweb@ietf.org>; Sat, 24 Sep 2011 08:54:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.29.75 with SMTP id i11mr4422393vdh.296.1316879682214; Sat, 24 Sep 2011 08:54:42 -0700 (PDT)
Received: by 10.220.94.200 with HTTP; Sat, 24 Sep 2011 08:54:42 -0700 (PDT)
In-Reply-To: <4E7DF923.1070308@alvestrand.no>
References: <7F2072F1E0DE894DA4B517B93C6A05852233EDB21D@ESESSCMS0356.eemea.ericsson.se> <CABcZeBO9hUSYZhLrcfbaK9HLGXq-q1EvqWOy6-gAN5xom6Z2-A@mail.gmail.com> <092401cc749b$8fd64940$af82dbc0$@com> <CABcZeBPgRD6kb2gg=m9NckSa1wrzwzJS6527nYqFG34b0cjfgQ@mail.gmail.com> <4E765E4A.3050801@alvestrand.no> <7532C74D-D0D7-474D-80C7-61C07E9290AA@edvina.net> <7D7982AF-7478-4AFD-9F39-ED04A43FEF53@edvina.net> <673BCA71-B624-4DCA-B681-7012E6F9D202@acmepacket.com> <4E799E18.30000@ericsson.com> <855B9078-A81F-45D9-B12F-46CC46C15B60@acmepacket.com> <4E79D5DF.4050402@ericsson.com> <68121E70-4363-47F8-8761-23728C56D003@acmepacket.com> <9348BF4A-8674-4888-9DDC-C734FB935A28@csperkins.org> <7B9A57BB-A585-487D-9655-D835C527059B@acmepacket.com> <4E7AE83E.9090508@ericsson.com> <CALiegfmxjP5ojZeAoz6sYUkKwE7XOtTSGJAOydbX+sm23hrwjg@mail.gmail.com> <7DEACFFC-8AF3-4450-8844-FF6E187AE4D2@edvina.net> <CALiegf=5OPFjvn8WaJq_38OKuGkCed4-M0JTEKJczcCvkAj2YA@mail.gmail.com> <4E7DF923.1070308@alvestrand.no>
Date: Sat, 24 Sep 2011 17:54:42 +0200
Message-ID: <CALiegfn-c6EN6K880ZAJLd7r3NcxjPnqAh=W28JMY6FPLXaHeg@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] STUN for keep-alive - RTCP-less applications
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2011 15:52:07 -0000

2011/9/24 Harald Alvestrand <harald@alvestrand.no>:
> On 09/24/2011 03:37 PM, Iñaki Baz Castillo wrote:
>>
>> Hi. I dont mean that security decisions are taken by the final user, but
>> by the service provider. If it is a local intranet or the users access the
>> intranet via a secure vpn, security can be relaxed ans the site provider
>> could determine that plain rtp is allowed.
>>
> Remember that in the RTCWEB context, the service provider (the provider of
> the Javascript and the Web service) is presumed malicious.

But the user would *always* be asked for permission before
starting/accepting a media session, right? The same as it occurs with
Flash applications asking for micro/webcam usage. Such prompt should
be standarized by RTCweb and should let the user know the security
aspects of the offer:

-------------------
The web site www.domain.org asks you for permissions to start a
audio/[video] session using your micro and web cam.
Audio/video communication is not required to be encripted/secured.

Do you accept?

[ yes ]  [ no ]
------------------


-- 
Iñaki Baz Castillo
<ibc@aliax.net>