Re: [rtcweb] #10: Additional Threats
Martin Thomson <martin.thomson@gmail.com> Mon, 18 February 2013 19:13 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E6721F89CE for <rtcweb@ietfa.amsl.com>; Mon, 18 Feb 2013 11:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.057
X-Spam-Level:
X-Spam-Status: No, score=-5.057 tagged_above=-999 required=5 tests=[AWL=-1.458, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qt07xMbFFeKq for <rtcweb@ietfa.amsl.com>; Mon, 18 Feb 2013 11:13:55 -0800 (PST)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id D1EDE21F8946 for <rtcweb@ietf.org>; Mon, 18 Feb 2013 11:13:54 -0800 (PST)
Received: by mail-wg0-f44.google.com with SMTP id dr12so4767123wgb.11 for <rtcweb@ietf.org>; Mon, 18 Feb 2013 11:13:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=vEIcEbVJSEICwL0pQSdE3qAeb830KV6VM+VASAeQdDo=; b=Vze8Yjhk/YnbKtIC8Aohrm06gzujSkBEyNuwBVHt/T1iilr0bWY+Ob43xn0hfrfXA3 IBjzl2HtJVO4boYuum84aM6sH/ytKxGwoixu9xvLorzhDHiAZxa+WfkcX7OxyI1eZ9qp nMEWCOBEbfJ6Ptut7VFpriDu48u6XJRlBps0O1v2GDgML8ZC0PYP1SoiyosW3m0Hgihq 8m/A5bdYXbiiWITCl6KQniNckTdmxU6bK+51ASmakCaNC7yfl8pU2b/zPCDN7ann8v2w Ogm0fxE/xMBK3PFLDvXc1lM9Qe7EPnho+DcTQ3pMhrSCGHpt8/rhZmMbvWhWKZ5Ij5KG zv8w==
MIME-Version: 1.0
X-Received: by 10.194.76.37 with SMTP id h5mr21634893wjw.21.1361214833427; Mon, 18 Feb 2013 11:13:53 -0800 (PST)
Received: by 10.194.5.135 with HTTP; Mon, 18 Feb 2013 11:13:53 -0800 (PST)
In-Reply-To: <066.1f4ccb214419f0f63ee3d9e5b94fa37e@trac.tools.ietf.org>
References: <066.1f4ccb214419f0f63ee3d9e5b94fa37e@trac.tools.ietf.org>
Date: Mon, 18 Feb 2013 11:13:53 -0800
Message-ID: <CABkgnnU3vBnhCXf=Mj+ONg5_8V9YxJUc+A5D_zuTTiDKWS1+ew@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: rtcweb issue tracker <trac+rtcweb@trac.tools.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Cc: draft-ietf-rtcweb-security@tools.ietf.org, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] #10: Additional Threats
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2013 19:13:55 -0000
This opens a new category of attack, one that I wasn't all that concerned about. Namely, the guy on the other end isn't trustworthy. To a large extent, peer authentication allows users to make their own assessments, but we have to acknowledge (and likely accept) that the other guy isn't necessarily trustworthy. I think that we can rule the age-old human problem out of scope, but perhaps we should be clear that we are doing so. On 16 February 2013 14:26, rtcweb issue tracker <trac+rtcweb@trac.tools.ietf.org> wrote: > #10: Additional Threats > > Aside from the threats described in the document, a few others come to > mind. It might be useful for the document to state explicitly why or why > not these are out of scope: > > a. Live versus replayed streams. While you might have media security, > this doesn't tell you whether the stream is actually originating from a > device or is being replayed. > > b. Prank calling. While the document talks about permission to make > calls, it doesn't mention permission to receive or blocking of unwanted > calls. > > -- > -------------------------------------+------------------------------------- > Reporter: | Owner: draft-ietf-rtcweb- > bernard_aboba@hotmail.com | security@tools.ietf.org > Type: defect | Status: new > Priority: major | Milestone: milestone1 > Component: security | Version: 1.0 > Severity: In WG Last Call | Keywords: > -------------------------------------+------------------------------------- > > Ticket URL: <http://trac.tools.ietf.org/wg/rtcweb/trac/ticket/10> > rtcweb <http://tools.ietf.org/rtcweb/> > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] #10: Additional Threats rtcweb issue tracker
- Re: [rtcweb] #10: Additional Threats Martin Thomson