Re: [rtcweb] Mandating encryption of RTP header extensions for MID and RID SDES items
Cullen Jennings <fluffy@iii.ca> Fri, 07 October 2016 17:42 UTC
Return-Path: <fluffy@iii.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F001129674 for <rtcweb@ietfa.amsl.com>; Fri, 7 Oct 2016 10:42:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNV0bg6qI8cj for <rtcweb@ietfa.amsl.com>; Fri, 7 Oct 2016 10:42:01 -0700 (PDT)
Received: from smtp105.iad3a.emailsrvr.com (smtp105.iad3a.emailsrvr.com [173.203.187.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E067129694 for <rtcweb@ietf.org>; Fri, 7 Oct 2016 10:42:01 -0700 (PDT)
Received: from smtp14.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp14.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 942CB60EF2; Fri, 7 Oct 2016 13:41:55 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp14.relay.iad3a.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 41D7860AF4; Fri, 7 Oct 2016 13:41:55 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [10.24.90.15] ([UNAVAILABLE]. [128.107.241.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.7.7); Fri, 07 Oct 2016 13:41:55 -0400
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <e536bad2-08b1-4f77-8c75-6bc3b639c398@ericsson.com>
Date: Fri, 07 Oct 2016 10:41:53 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <B6ECFC24-F28E-4E35-9437-B7DACB41EF69@iii.ca>
References: <e536bad2-08b1-4f77-8c75-6bc3b639c398@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/9S1A_zPK798scKODiRpb6X7DqC4>
Cc: RTCWeb IETF <rtcweb@ietf.org>
Subject: Re: [rtcweb] Mandating encryption of RTP header extensions for MID and RID SDES items
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 17:42:03 -0000
How are these a significant fingerprinting problem ? > On Oct 6, 2016, at 7:55 AM, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote: > > WG, > > After discussion in AVTEXT and MMUSIC regarding the inclusion of MID and RID as SDES items that this do exposes labels that previously only have existed in the signalling plane in the media plane. And especially in the RTP header extensions, where even if the media payload is encrypted the header extension is not encrypted. > > The risk with this is primarily a privacy and fingerprinting risk. And the proposed mitgation is encryption of the RTP header extensions in both the bundle and avtext-rid documents. > > This leads to the conclusion that for RTCWeb, we must consider to act on these recommendations and decide on which implementation and usage requirement the protection of these field should have. > > My proposal is that implementation and use of RFC6904 encryption of the RTP header extensions are REQUIRED. For RTCP it is actually unclear if there is mandatory to use encrypted SRTCP. I think it should be required and that can be clarified in Section 5.5 of draft-ietf-rtcweb-security-arch. > > > Opinions? > > > Cheers > > Magnus Westerlund > > ---------------------------------------------------------------------- > Services, Media and Network features, Ericsson Research EAB/TXM > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Färögatan 6 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] Mandating encryption of RTP header exten… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings
- Re: [rtcweb] Mandating encryption of RTP header e… Bernard Aboba
- Re: [rtcweb] Mandating encryption of RTP header e… Mo Zanaty (mzanaty)
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg
- Re: [rtcweb] Mandating encryption of RTP header e… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings (fluffy)
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg
- Re: [rtcweb] Mandating encryption of RTP header e… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings (fluffy)
- Re: [rtcweb] Mandating encryption of RTP header e… Jonathan Lennox
- Re: [rtcweb] Mandating encryption of RTP header e… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg