[rtcweb] security-arch: 6.4.1 PeerConnection Origin Check

Michael Procter <michael@voip.co.uk> Mon, 21 July 2014 23:51 UTC

Return-Path: <michael@voip.co.uk>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E7811A0306 for <rtcweb@ietfa.amsl.com>; Mon, 21 Jul 2014 16:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.579
X-Spam-Level:
X-Spam-Status: No, score=-3.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NTJOSDjw7zB2 for <rtcweb@ietfa.amsl.com>; Mon, 21 Jul 2014 16:51:18 -0700 (PDT)
Received: from mail-we0-f172.google.com (na3sys009aog127.obsmtp.com [74.125.149.107]) by ietfa.amsl.com (Postfix) with SMTP id 87B7F1A02F3 for <rtcweb@ietf.org>; Mon, 21 Jul 2014 16:51:18 -0700 (PDT)
Received: from mail-we0-f172.google.com ([74.125.82.172]) (using TLSv1) by na3sys009aob127.postini.com ([74.125.148.12]) with SMTP ID DSNKU82ndkfUdPedFHQizg3wtUq8FF5vLrpC@postini.com; Mon, 21 Jul 2014 16:51:18 PDT
Received: by mail-we0-f172.google.com with SMTP id x48so8369750wes.3 for <rtcweb@ietf.org>; Mon, 21 Jul 2014 16:51:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=O72cvJNX4655NtwgQWmQ56EqQmAKCsvhW+uxmQbPFaY=; b=fOgV38/yV0Dp4v7GhxD3D9wsEeFKItYywN2x0+c/o7y3aPFh64073YhrBBtuFmqpjk f3Tox4G+kSyMj5rdgAKN6O1FAo00AHWMEvXPOKLb5Qu5Jjgv1AJkPto8VBVBAkrxXcjY g8PdHNkLg93ZtKb/yO+t+2weETwoUKJUSoF59HWs+Cga6FdYMfdKpqrhmtW++NJTDgmf g5YhGthCFYuOayx75w75G4TD9ueycAxv43xs/YciqLGYgYdHUQ2BCJJ+qXnrqzd9Gy0X oa/z9Vim4N0rBI+igXEU15qiUuOWhpn3pXRb6fTaim93WOl41vuPNi4EFjqRUjMTwSDz iQOQ==
X-Gm-Message-State: ALoCoQlfqItRDt1COBEAZTyHCdfSnf/RdEFXk4MKgI62dYUJaw6/FIZOwZKHpPTnP2jMt3l7myJSlFsCMyAxW7uBi/mM/yBDRlNjIEBDJ8L+jDT4/tPFjhC9w+NAld2mBTlC63RRW5YT
X-Received: by 10.180.86.7 with SMTP id l7mr8859271wiz.55.1405986677140; Mon, 21 Jul 2014 16:51:17 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.86.7 with SMTP id l7mr8859266wiz.55.1405986677063; Mon, 21 Jul 2014 16:51:17 -0700 (PDT)
Received: by 10.194.60.178 with HTTP; Mon, 21 Jul 2014 16:51:17 -0700 (PDT)
Date: Mon, 21 Jul 2014 19:51:17 -0400
Message-ID: <CAPms+wQPirBi1utnMjrScMk_U7_6x6qK+mC_6ZV054rYsNnwTg@mail.gmail.com>
From: Michael Procter <michael@voip.co.uk>
To: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/C2se43GaJtWsikEtBEOehqaO9Uc
Subject: [rtcweb] security-arch: 6.4.1 PeerConnection Origin Check
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 23:51:20 -0000

Section 6.4.1 begins like this:

   Fundamentally, the IdP proxy is just a piece of HTML and JS loaded by
   the browser, so nothing stops a Web attacker o from creating their
   own IFRAME, loading the IdP proxy HTML/JS, and requesting a
   signature.  In order to prevent this attack, we require that all
   signatures be tied to a specific origin ("rtcweb://...") which cannot
   be produced by content JavaScript.

The corresponding section in the w3c draft (8.1.2, bullet 2) describes
how this is achieved, based on the principle of communicating via a
MessageChannel identified by a variable that cannot be set by another
page.  I suggest removing the text about tying signatures to specific
origins (and also the mention of HTML), so that the beginning of 6.4.1
looks more like:

   Fundamentally, the IdP proxy is just a piece of JS loaded by
   the browser, so nothing stops a Web attacker from creating their
   own IFRAME, loading the IdP proxy JS, and requesting a
   signature.  In order to prevent this attack, we require that communication
   with the IdP proxy be via a MessageChannel in a way that cannot
   be emulated by hostile JS.  This is discussed in section 8.2.1 of
[webrtc-api].

Regards,

Michael