IETF Logo Mail Archive

Re: [rtcweb] SDES vs DTLS-SRTP revisited

Hadriel Kaplan <HKaplan@acmepacket.com> Tue, 20 March 2012 15:44 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD02C21F849C for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 08:44:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.531
X-Spam-Level:
X-Spam-Status: No, score=-2.531 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IebHh2p8KM2r for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 08:44:18 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by ietfa.amsl.com (Postfix) with ESMTP id B03CE21F849B for <rtcweb@ietf.org>; Tue, 20 Mar 2012 08:44:18 -0700 (PDT)
Received: from MAIL1.acmepacket.com (10.0.0.21) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.2.254.0; Tue, 20 Mar 2012 11:44:13 -0400
Received: from MAIL2.acmepacket.com ([169.254.2.166]) by Mail1.acmepacket.com ([169.254.1.170]) with mapi id 14.02.0283.003; Tue, 20 Mar 2012 11:44:13 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Harald Alvestrand <harald@alvestrand.no>
Thread-Topic: [rtcweb] SDES vs DTLS-SRTP revisited
Thread-Index: AQHNBrBMt2nXjUficU+l0rMM5dLpPA==
Date: Tue, 20 Mar 2012 15:44:12 +0000
Message-ID: <E0F19DAB-4A30-42E8-AD3B-81858EBA9BC4@acmepacket.com>
References: <A1B638D2082DEA4092A268AA8BEF294D194494CE64@ESESSCMS0360.eemea.ericsson.se> <CABcZeBO5xouNwMqBa-y6AqbXs-+9nU37kGEETm0DpqSWZ9tjwg@mail.gmail.com> <ABC8591A-0432-4D5A-82AB-BBE9A22360D9@acmepacket.com> <4F685C45.5080106@alvestrand.no>
In-Reply-To: <4F685C45.5080106@alvestrand.no>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.0.0.30]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <7D951FF277F55D4EA70475EB0318BD74@acmepacket.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDES vs DTLS-SRTP revisited
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2012 15:44:20 -0000

On Mar 20, 2012, at 6:30 AM, Harald Alvestrand wrote:

> I don't get this scenario. If Alice calls Bob using two different gateways, won't she go through a credentials and fingerprint exchange with the gateways?
> In that case, wouldn't the fingerprint belong to the gateway?

Yes, but the statement being made was in the context of Alice calling Bob, them seeing their browsers claim DTLS-SRTP "secured" or whatever, and them being super-geeks and checking the detailed info of what the actual DTLS fingerprints were, and finding they don't both see the same fingerprints... and that they would thus believe there was either a software bug or a malicious middleman.

So my point was that's not a good conclusion to jump to, since both caller and called parties can see DTLS-SRTP "secured" mode lock-icon, but with different fingerprints, and yet it being neither a software bug nor a malicious middleman.  I realize no distinction can be made between a PSTN-gateway and a malicious MitM, by design, but that's not a good thing - because it means people will simply learn to ignore the warnings generated by the browser, because from a user perspective they'll all be false positives.

-hadriel

v2.23.0 | Report a Bug | By Email