Re: [rtcweb] Let's define the purpose of WebRTC

"Muthu Arul Mozhi Perumal (mperumal)" <> Wed, 09 November 2011 13:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EB2E121F8C39 for <>; Wed, 9 Nov 2011 05:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.857
X-Spam-Status: No, score=-6.857 tagged_above=-999 required=5 tests=[AWL=-0.258, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MY482exEYRUy for <>; Wed, 9 Nov 2011 05:19:41 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B95CD21F8C0F for <>; Wed, 9 Nov 2011 05:19:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=1856; q=dns/txt; s=iport; t=1320844780; x=1322054380; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=rx+E5b4TRGstctrpiRjddCbYCyM6qKcG642GCxH87T0=; b=Px5Mws9vA+kv8N7gMYIOpy43poXkdmGNpAkBbfqM7AVdIwaLfVY+eKIS LxZFCube6Z0wLHdPab/G4FvObk31ZCQb5h1p6YXpta45770rf9usGEOkI /VKHNbKOJcB0C0iTbviQ25sOT6yEimHx3TyZrTFPvgoUS9GhhDfW8aaLg M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.69,484,1315180800"; d="scan'208";a="2724700"
Received: from ([]) by with ESMTP; 09 Nov 2011 13:19:38 +0000
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id pA9DJb8s015859; Wed, 9 Nov 2011 13:19:37 GMT
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Wed, 9 Nov 2011 18:49:37 +0530
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 9 Nov 2011 18:49:35 +0530
Message-ID: <>
In-Reply-To: <>
Thread-Topic: [rtcweb] Let's define the purpose of WebRTC
Thread-Index: Acye0hYRvbMSpMtNRp+JNi/6bl4HrgADtrWQ
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <1D0 62974A4 845E4D8A343C> <>
From: "Muthu Arul Mozhi Perumal (mperumal)" <>
To: "Olle E. Johansson" <>
X-OriginalArrivalTime: 09 Nov 2011 13:19:37.0479 (UTC) FILETIME=[3AE51170:01CC9EE2]
Subject: Re: [rtcweb] Let's define the purpose of WebRTC
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Nov 2011 13:19:45 -0000

|That opens up for downgrade attacks and put a lot 
|of trust on the web browser UI to show what happens
|and on the users to understand what the web browser 
|UA is trying to tell them.

It isn't an attack per se (since a malicious JS no control over it), rather a choice we would have to make whether or not to allow insecure calling to non-WebRTC clients. Yes, it adds some burden on the UI, but could be as simple as a red cross you see on https URL when the browser detects either high-risk insecure content on the page or problems with the site's certificate.


|-----Original Message-----
|From: Olle E. Johansson []
|Sent: Wednesday, November 09, 2011 4:54 PM
|To: Muthu Arul Mozhi Perumal (mperumal)
|Cc: Iñaki Baz Castillo; Avasarala, Ranjit; Ravindran Parthasarathi; Cullen Jennings (fluffy);
|Subject: Re: [rtcweb] Let's define the purpose of WebRTC
|9 nov 2011 kl. 11:57 skrev Muthu Arul Mozhi Perumal (mperumal):
|> |The "application" is untrusted by nature, and we don't want
|> |to make the end-user to decide whether to trust it or not.
|> |Explained many times in this maillist.
|> I am thinking we could burn SRTP into the browser such that the decision of whether or not to use
|SRTP vests solely with the browser. If a WebRTC browser is exchanging media with another WebRTC
|browser they always do SRTP/SRTCP. If either side isn't WebRTC compliant they end up with RTP/RTCP.
|This way we don't need to trust the JS, instead trust only the browser. We can also interoperate with
|legacy devices without taxing them.
|That opens up for downgrade attacks and put a lot of trust on the web browser UI to show what happens
|and on the users to understand what the web browser UA is trying to tell them.