Re: [rtcweb] No Interim on SDES at this juncture

Dan Wing <dwing@cisco.com> Fri, 21 June 2013 16:45 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3463E11E8193 for <rtcweb@ietfa.amsl.com>; Fri, 21 Jun 2013 09:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.276
X-Spam-Level:
X-Spam-Status: No, score=-110.276 tagged_above=-999 required=5 tests=[AWL=-0.277, BAYES_00=-2.599, J_CHICKENPOX_111=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWUgc+cN6P6M for <rtcweb@ietfa.amsl.com>; Fri, 21 Jun 2013 09:45:42 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 130C721E8112 for <rtcweb@ietf.org>; Fri, 21 Jun 2013 09:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5236; q=dns/txt; s=iport; t=1371833139; x=1373042739; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=RdOYkyA35aI/Cd/YVZcEJOLZ5xLUzAPQGIuNwhH0e4c=; b=NcD1GXjAy17OaL5pldvsuvBRKIHK5zU7ivGGDH1vh0CJWYJq4ViqD+dX gS8QZEOh5aJoo4uh9pqWFowHYQGy2c48qEoe0+Y8728qOk1ALsBsvlQN6 NhUIDh8s+MzAbdZs6iy4m5R8EYqkG6aZnso5L2WEHcWOfP42fNyAWvvYW 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgQFAPOBxFGrRDoH/2dsb2JhbABSCYMJMb9+gQQWdIIjAQEBAwEBAQE3NAsQCxguJzAGE4gIBQ28SY4OBIEEMweDAGEDiSGOIpFEgy8cgS0
X-IronPort-AV: E=Sophos;i="4.87,914,1363132800"; d="scan'208";a="84075228"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-2.cisco.com with ESMTP; 21 Jun 2013 16:45:36 +0000
Received: from sjc-vpn3-98.cisco.com (sjc-vpn3-98.cisco.com [10.21.64.98]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r5LGjZlr015319; Fri, 21 Jun 2013 16:45:35 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <529DCF4E-2A8B-475F-8CCE-7E2ABC72EFB1@oracle.com>
Date: Fri, 21 Jun 2013 09:45:35 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2C6DDF0C-201D-4CA3-8EB0-F14B8A2D5758@cisco.com>
References: <CA+9kkMDnjCNXGV0GU7x6gbbZMf4WiEuVvCRY8_Fix5tmdOB-Kg@mail.gmail.com> <AD220324-EEE7-4800-8512-FD7BADA9EC34@oracle.com> <CA+9kkMDY2Z_5_1uYJ1K_ZmrJB2a1-RE7V3aPqNHQg82DyagjCg@mail.gmail.com> <2975A93F-44DA-4020-B4DE-42E7ED98C08F@oracle.com> <51BAC9BC.6070708@ericsson.com> <94846970-4694-4EC8-AEFA-AEECEE0135AA@oracle.com> <51C02EE8.5070809@ericsson.com> <AE1A6B5FD507DC4FB3C5166F3A05A4841A2C78AD@TK5EX14MBXC273.redmond.corp.microsoft.com> <CAL02cgTFSbYSX7v3q37tsjzaPMshyyBroGWr=qmy-HGm82GJFg@mail.gmail.com> <AE1A6B5FD507DC4FB3C5166F3A05A4841A2C7EF8@TK5EX14MBXC273.redmond.corp.microsoft.com> <CAL02cgQMkHu-NqEeScT2ObfknJ+3OjXi7Y=7rUJtqeu3CbewMQ@mail.gmail.com> <8E9D2A9F-3D8B-4480-A85D-320CF30FEAA6@oracle.com> <CAL02cgT3KEb0VB9kz=QCe7Mt3oj5tZvZouFe5-Uy90Cmm0H0dQ@mail.gmail.com> <30761469-F5CC-4858-8D40-4632A7D5A682@oracle.com> <CAL02cgSS1e5zH2YRh4uTb8qxXF5Ng5y8RxRw-bGP5xmQLkiQ+Q@mail.gmail.com> <529DCF4E-2A8B-475F-8CCE-7E2ABC72EFB1@oracle.com>
To: Hadriel Kaplan <hadriel.kaplan@oracle.com>
X-Mailer: Apple Mail (2.1508)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] No Interim on SDES at this juncture
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jun 2013 16:45:47 -0000

On Jun 20, 2013, at 7:58 PM, Hadriel Kaplan <hadriel.kaplan@oracle.com>; wrote:

> 
> On Jun 20, 2013, at 10:14 PM, Richard Barnes <rlb@ipv.sx>; wrote:
> 
>>> It's more secure in the sense that JS can't access the key, so an injected script can't grab the key and exfiltrate it.  So the browser user is better protected against XSS risks.
>> 
>> This part I'd like to understand better.  Can you explain it?
>> If a Browser cannot determine what server the JS being executed for WebRTC API calls/callbacks came from, or cannot tell if it came from one over HTTPS in particular, then using SDES might be a real problem.  I was under the impression browsers did know those things (or at least that they're theoretically supposed to, ignoring that  there are "bugs" here and there).
>> 
>> As with many things in the web security model, the answer is "It's complicated".  The wikipedia article on XSS is pretty good.
>> <http://en.wikipedia.org/wiki/Cross-site_scripting>
>> 
>> The upshot is that your typical web page gets cobbled together out of many pieces, often from different domains.  Scripts from multiple sources get imported into the overall security context of the page.  This composition can happen deliberately (e.g., mashups, JS libraries) or maliciously (XSS).  Let me provide an example of each:
>> 
>> 1. Suppose I use jQuery to do pretty layout on my page.  There's nothing that actually constrains jQuery to only do layout.  If jQuery is out to get me, it could do something like overwrite window.PeerConnection, so that all of the page's WebRTC calls go through the jQuery library and are subject to its control.  So if the PeerConnection API exposes keys, jQuery can steal them.
> 
> We've talked about that one before I think.  If jQuery is out to get you, it's game over.  It's essentially equivalent to a malicious web-server, except of course that the operator of the web-server isn't intending to be malicious (which is an important distinction).  But again, not only does jQuery have access to information such as who you're talking to and when, it can also redirect your media to a gateway of its choosing to terminate the DTLS-SRTP and record it, by fiddling with the JSON/SDP stuff.

For the attacker to succeed with the redirection of DTLS-SRTP to a server it controls, the attacker would also need to modify the SDP's a=fingerprint line which is as  trivial as the attacker's other SDP modifications.  To prevent the attacker from succeeding with such modification, we need cryptographic identity (to protect the From/To/Date/a=fingerprint and other fields), and need the browser (not JS) to verify the identity using an external service (e.g., local disk, IdP separate from the web server providing us the (compromised) JS and the SDP).  While it is true that today we don't have a way today to provide that cryptographic identity (RFC4474 does not work, draft-wing-rtcweb-identity-media written by me and Hadriel was met with silence) DTLS-SRTP creates the foundation to build cryptographic identity which can be verified by the browser itself.  Such cryptographic identity protects from this specific attack, and DTLS-SRTP protects from other attacks.

-d



> 
> 
>> 2. Suppose the overall page is loaded over HTTPS, but one of the scripts is loaded over HTTP.  Then the overall security context for the page is HTTPS, but if an attacker can hijack that HTTP load to introduce a script, in which case he can do the same bad stuff that jQuery could in the above example.  (This is why we have the following sentence in draft-ietf-rtcweb-security-arch: "It is RECOMMENDED that browsers which allow active mixed content nevertheless disable RTCWEB functionality in mixed content settings."
> 
> Right, and I think we've talked about that before too in the context of SDES: I think people were ok with limiting it further for SDES with a statement saying it must not be used in mixed content settings if one of the scripts came in on HTTP. (although I could be wrong on whether any consensus was reached on that point - it was a long time ago and I have a memory leak)
> 
> 
>> There are mitigations to a lot of these sorts of issues, but some are still being developed.  And of course, there's no guarantee that a given site will follow all the best practices.  So it seems sensible to limit the damage that an injected script can do.
> 
> Right, and I'm hoping the Browser vendors can tell us if browsers can safely know whether all the JS running on a given page is from HTTPS or not, and not allow SDES if the JS is not all from (signed) HTTPS.  If not, then I agree that's another negative downside for SDES.  In fact I think it's even a problem for DTLS-SRTP.  I don't know why we'd be ok with using HTTP at all, if we're *truly* concerned about MitM and malicious 3rd party JS attacks. 
> 
> -hadriel
> 
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb