Re: [rtcweb] No Interim on SDES at this juncture

"Timothy B. Terriberry" <> Mon, 29 July 2013 09:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BBBE621F9DBE for <>; Mon, 29 Jul 2013 02:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zzXgUYilzOmy for <>; Mon, 29 Jul 2013 02:16:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 41D2721F9E00 for <>; Mon, 29 Jul 2013 02:16:15 -0700 (PDT)
Received: from [] ( []) (Authenticated sender: by (Postfix) with ESMTPSA id 0C422F225E for <>; Mon, 29 Jul 2013 02:16:13 -0700 (PDT)
Message-ID: <>
Date: Mon, 29 Jul 2013 02:16:06 -0700
From: "Timothy B. Terriberry" <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 SeaMonkey/2.16
MIME-Version: 1.0
To: "" <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] No Interim on SDES at this juncture
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Jul 2013 09:16:21 -0000

Hadriel Kaplan wrote:
> Right, and I'm hoping the Browser vendors can tell us if browsers can safely know whether all the JS running on a given page is from HTTPS or not, and not allow SDES if the JS is not all from (signed) HTTPS.  If not, then I agree that's another negative downside for SDES.  In fact I think it's even a problem for DTLS-SRTP.  I don't know why we'd be ok with using HTTP at all, if we're *truly* concerned about MitM and malicious 3rd party JS attacks.

Yes, this is detectable. As I said at the mic in Beijing, however, this 
is a property that can change at any time, because a page can load 
script from a new, programmatically constructed URL at any point. See 
Section 5.1 of the updated draft-ietf-rtcweb-security-arch-07.

That makes it difficult to design security policy guarantees (it might 
seem "safe" to access a resource when you ask to access it, but very 
difficult to revoke access later when you realize it's not safe). For 
that reason among many others, browsers have been moving to simply block 
mixed content entirely. See 
Firefox will release this in August. Chrome already does this. IE has 
prompted users since at least IE 7.