Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)

Eric Rescorla <ekr@rtfm.com> Thu, 10 November 2011 22:19 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6C2421F8B29 for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 14:19:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.935
X-Spam-Level:
X-Spam-Status: No, score=-102.935 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4R91ob+i9HiO for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 14:19:07 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 02C1121F8ABD for <rtcweb@ietf.org>; Thu, 10 Nov 2011 14:19:06 -0800 (PST)
Received: by ggnr4 with SMTP id r4so2329898ggn.31 for <rtcweb@ietf.org>; Thu, 10 Nov 2011 14:19:06 -0800 (PST)
Received: by 10.146.72.7 with SMTP id u7mr1200962yaa.9.1320963544137; Thu, 10 Nov 2011 14:19:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.146.151.3 with HTTP; Thu, 10 Nov 2011 14:18:24 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <CAD5OKxuaWJ3SBv+0gac6EQy6-Lsb-LS_SBXk5FqObKy4mN6wNg@mail.gmail.com>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <5454E693-5C34-4C77-BA07-2A9EE9EE4AFD@cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01349FFE@inba-mail01.sonusnet.com> <1D062974A4845E4D8A343C653804920206D3B7FD@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C0134A105@inba-mail01.sonusnet.com> <1F2A2C70609D9E41844A2126145FC09804691DA2@HKGMBOXPRD22.polycom.com> <CALiegfmf59jb4asUu9LA6YY_aMtKEnM1Wy34KbuLEn3_h1xBXA@mail.gmail.com> <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com> <1D062974A4845E4D8A343C653804920206D3BA57@XMB-BGL-414.cisco.com> <CALiegfkWnRT8m4S9pXTxuLsc-p_bhkG3d=PX3qgiFFt5gW5yfw@mail.gmail.com> <CAD5OKxvQYVKOZF88WLCiRseg-qXQdOpKeDU_t9b-yA2GcDBT-w@mail.gmail.com> <CABcZeBOiPxz_swdaG6Aqoch1WAUtjNh4eOQy1QObCDXT_B8azg@mail.gmail.com> <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail.com> <4EBC3475.90706@alvestrand.no> <CAD5OKxu_-+ZRsqpUBkFSj=tYtOKG0pK3JoQTZHwQGMuBCnp0Gw@mail.gmail.com> <4EBC4401.2090703@alvestrand.no> <CAD5OKxuaWJ3SBv+0gac6EQy6-Lsb-LS_SBXk5FqObKy4mN6wNg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 10 Nov 2011 14:18:24 -0800
Message-ID: <CABcZeBO64gb7JfCm8nbTyJ_pwnCrx4_P6V+ALajOjerEcrvBvQ@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2011 22:19:07 -0000

On Thu, Nov 10, 2011 at 2:07 PM, Roman Shpount <roman@telurix.com> wrote:
>
>
> On Thu, Nov 10, 2011 at 4:37 PM, Harald Alvestrand <harald@alvestrand.no>
> These arguments are not very strong and would not prevent WebRTC from being
> used (except the illegal part). My main problem is that mandatory encryption
> is not serving any useful purpose.

But it is serving a useful purpose. It's setting a default floor on
how the systems
behave, as well as reducing implementation complexity and concerns about
bid-down attacks.


>I strongly oppose the illusion of
> security when communications are not secure.

I'd be happy to recommend a less secure-looking UI when the JS was served
over HTTP. Did you have some other concern?


> If an application is delivered
> over HTTP, the fact that media is encrypted is irrelevant and provides no
> useful security.

As I've observed before, this isn't in fact correct. Yes, our currently
existing mechanisms for providing secure communications with
completely insecure signaling are less than optimal, but they do
exist, and as my document makes clear, there are potential approaches
that could make this significantly easier.


> There is a duality about web based applications with HTTP
> and HTTPS. I think WebRTC should reflect this. There is a working model
> present for HTTP applications already (secure document -- secure
> communications, insecure document -- insecure communications), so I do not
> see the reason to break it.

Characterizing this model as "working" seems at best an exaggeration,
as anyone who has had to deal with mixed content, SOP conflicts,
or "secure" cookies can attest.

-Ekr