Re: [rtcweb] Consensus call regarding media security

Roman Shpount <> Tue, 03 April 2012 00:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DB15921F859E for <>; Mon, 2 Apr 2012 17:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.822
X-Spam-Status: No, score=-2.822 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NIpmWu9sn+LH for <>; Mon, 2 Apr 2012 17:53:06 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3875021F858F for <>; Mon, 2 Apr 2012 17:53:06 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so4892050pbb.31 for <>; Mon, 02 Apr 2012 17:53:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=hhLbOCbMMzs3Apy37w78NrVUlbTXl3C+Mc4lUUpR2TY=; b=LGlg/4NXSyC6qqYujdXUU3D0Z1lUsbyt8zuT5qCIOaOOFEz5065dA+jl4Pi4t61Ei7 j50s/Qwfl+WSP3Jv7KT09XFJqE+ElEcsBOPEdakSwjYLN74CYeRSkP2xvWkLJsvN5YM5 dd8SHDeO+1IOSMYWyfDcbY12LOlixOUyJFMeGKDoUteCVW62CYamgBsNr3uew/ahJyBU Wn6LLh/7iTCF2SEhUfvmjDA1uBHiofZ75WQCy+vPow/rkg+lo/DlD79AxVPXWEwVpex7 1vBijtldyR3HntDq5jyuCIQ2FOB2Hdy05YhvaJO89eMfjgf0UxilccOOjB7mPYacz/Tz QiIw==
Received: by with SMTP id ht7mr24593255pbc.31.1333414385994; Mon, 02 Apr 2012 17:53:05 -0700 (PDT)
Received: from ( []) by with ESMTPS id p4sm15097723pbp.13.2012. (version=TLSv1/SSLv3 cipher=OTHER); Mon, 02 Apr 2012 17:53:04 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so4892029pbb.31 for <>; Mon, 02 Apr 2012 17:53:03 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id iu1mr24135662pbc.78.1333414383825; Mon, 02 Apr 2012 17:53:03 -0700 (PDT)
Received: by with HTTP; Mon, 2 Apr 2012 17:53:03 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Mon, 2 Apr 2012 20:53:03 -0400
Message-ID: <>
From: Roman Shpount <>
To: Basil Mohamed Gohar <>
Content-Type: multipart/alternative; boundary=e89a8ff1cce4afb4bc04bcbbba6f
X-Gm-Message-State: ALoCoQmdIHGdcOYM3vSBMnz+AKg+n/UOzWG8WSeGNmsiuWDEcsYleFKOnfv+m4UG63nbTv15TYqI
Subject: Re: [rtcweb] Consensus call regarding media security
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Apr 2012 00:53:07 -0000

On Wed, Mar 28, 2012 at 5:08 PM, Basil Mohamed Gohar <> wrote:

> You make a lot of good points.  However, the inverse is true as well -
> namely, that is if encryption is not mandated, most implementations will
> likely leave it out, and adoption of secured communications would be
> stifled even longer.  I cannot speak about the implementation
> difficulties, but I can speak from the user side that most people will
> remain ignorant of the underlying technology and not know enough to
> demand nor enable a feature if it is optional to implement and/or use.
If application developer does not care about security nothing we do will
force the application to be secure. For instance, if SDES-SRTP is allowed,
I can implement something that will communicate with it with less then 1000
lines of code. I will drop the replay protection, real random key
generation and will just leave AES-CM and check sum calculation. This will
still successfully communicate with WebRTC end points but will not be
secure by a long stretch. We can provide the tools to secure the
communications, but unless application is properly developed, it will only
go through the motions of encryption without achieving any real results.
So, as a result, allowing non-encrypted communications will actually result
in more secure ecosystem. Where people who need security will support it,
and people who do not need security will clearly show that secure
communications are not implemented by their application.
Roman Shpount