Re: [rtcweb] Asking TLS for help with media isolation

Bernard Aboba <bernard.aboba@gmail.com> Fri, 04 April 2014 02:30 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9DE1A0538 for <rtcweb@ietfa.amsl.com>; Thu, 3 Apr 2014 19:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mi6XoL7XzmjR for <rtcweb@ietfa.amsl.com>; Thu, 3 Apr 2014 19:30:14 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by ietfa.amsl.com (Postfix) with ESMTP id C5E1B1A053B for <rtcweb@ietf.org>; Thu, 3 Apr 2014 19:30:13 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id bs8so381788wib.17 for <rtcweb@ietf.org>; Thu, 03 Apr 2014 19:30:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=TcZOWO9jf8m1Fm19v37FHLjuquDoEdGLwDxYqcpEmaY=; b=K4XJuH1/vWIydQpilKRfzfU9H078oq9LsXjbqP1jKT1xGoC1Jrfk2ojyv0ThnhuAU4 9ZlVLOf5/F4AaQCuCFYhHSN1HnZlbaK+JNpC+WrrX0ffDA80WZqawounNPN8CZLk/Bui 1yY8RnuZHj85M95m20Tmt+SnzYYY1Zz8kwcX1rZblsuflE3LoabHDmv4nH3Nv/k4nEI5 HjVZbVpROfuTNgOUSSzu4rd1INISdKuDyJ0s3fxTM0Tyj8yD/AWJH5V1fJ9fiTtNcEGn P844v98roQP2GR+mwrDTdUNvnhnDIzODAaDLtMYC0GpJVdl98nZgfXENzu+3uBt8GFYk OKaw==
X-Received: by 10.194.174.197 with SMTP id bu5mr15091371wjc.71.1396578608993; Thu, 03 Apr 2014 19:30:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.102.130 with HTTP; Thu, 3 Apr 2014 19:29:48 -0700 (PDT)
In-Reply-To: <CACsn0cmX55Eewak8GBxBbSFF3v7tRTVqRt0eLwkR2-Tk_V7gHA@mail.gmail.com>
References: <CABkgnnWWuU63Vd=gw+wrh2ADgVYtQzhoRzRE1sv5azJE=MhWDg@mail.gmail.com> <CACsn0cmX55Eewak8GBxBbSFF3v7tRTVqRt0eLwkR2-Tk_V7gHA@mail.gmail.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Thu, 3 Apr 2014 19:29:48 -0700
Message-ID: <CAOW+2dtKq4S68rNJAKbKbwMEnuD8rMbW4K_LfcjPBg5ps22BGw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=089e013d1a60e3debe04f62e4bae
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/8ZxBDykmyu48gS8YiHb2YgyuufE
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Asking TLS for help with media isolation
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 02:30:20 -0000

Martin said:

"I have pointed to draft-thomson-tls-acp as a potential solution here,
but others have noted that ALPN tokens could be used."

Watson said:

"Putting on my TLS hat, TLS already lets you send data across the
network securely. Why does this bit need to be treated differently
from all others?

[BA] As Martin indicates, the desire for isolation needs to be communicated
to ensure that remote media is not misused.  With either of the TLS
approaches that Martin has suggested,  the desire for isolation is
communicated directly between the peers.   Having this occur E2E via media,
not hop-by-hop via signaling avoids the risk of a MITM preventing isolation
from being negotiated.

However once the desire for isolation is communicated E2E (either via ACP
or ALPN tokens), there is nothing in the SRTP traffic (keyed by DTLS/SRTP)
that indicates that the traffic is to be isolated.


On Thu, Apr 3, 2014 at 6:51 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Thu, Apr 3, 2014 at 5:14 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> > As I described briefly at the last meeting, ensuring that media is
> > isolated from the application or web site is a key part of addressing
> > our security goals.
> >
> > The key part of that is making sure that any media that is isolated on
> > the sending side of RTCPeerConnection remains isolated when it reaches
> > the other side.
> >
> > As I noted, this is also necessary in order to ensure the integrity of
> > the same origin model.  In that model, cross origin media is required
> > to be inaccessible to content, and as it stands RTCPeerConnection
> > could be used to work around those restrictions (implementations can
> > implement other protections, as Firefox already does).
> >
> > The alternatives as I see them (and I hope that this is sufficiently
> > exhaustive) are:
> >
> >  1. ask the TLS working group for a TLS-based solution
> >  2. build something into the session signaling (i.e., new SDP bits)
> >  3. give up on the idea
> >
> > I prefer 1 for reasons already outlined.
>
> Putting on my TLS hat, TLS already lets you send data across the
> network securely. Why does this bit need to be treated differently
> from all others?
>
> Sincerely,
> Watson Ladd
>
>
> --
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>