Re: [rtcweb] Areas of security concern
Colin Perkins <csp@csperkins.org> Wed, 12 March 2014 09:39 UTC
Return-Path: <csp@csperkins.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745E21A093E for <rtcweb@ietfa.amsl.com>; Wed, 12 Mar 2014 02:39:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zOmGehTkBN0 for <rtcweb@ietfa.amsl.com>; Wed, 12 Mar 2014 02:39:45 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [93.93.130.6]) by ietfa.amsl.com (Postfix) with ESMTP id DEDCB1A0930 for <rtcweb@ietf.org>; Wed, 12 Mar 2014 02:39:44 -0700 (PDT)
Received: from [130.209.247.112] (port=64214 helo=mangole.dcs.gla.ac.uk) by balrog.mythic-beasts.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <csp@csperkins.org>) id 1WNfdR-0003jH-Jq; Wed, 12 Mar 2014 09:39:38 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail=_CB97D6F7-B3BE-4E0D-9437-4346E6DAD96D"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Colin Perkins <csp@csperkins.org>
In-Reply-To: <CACsn0cmnf0Lh8JEmwA2mYEg6hOivrpxc9JhFFAKmYcv1NpLfUA@mail.gmail.com>
Date: Wed, 12 Mar 2014 09:39:33 +0000
Message-Id: <DC4EF937-3A99-4EDE-B001-FD21D0907DF1@csperkins.org>
References: <CACsn0cmnf0Lh8JEmwA2mYEg6hOivrpxc9JhFFAKmYcv1NpLfUA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1874)
X-BlackCat-Spam-Score: -28
X-Mythic-Debug: Threshold = On =
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/Eh2Sv4UHDdgMuQl1KX-aaVKEU1o
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Areas of security concern
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 09:39:49 -0000
On 12 Mar 2014, at 05:11, Watson Ladd <watsonbladd@gmail.com> wrote: > Dear all, > I've jotted down the following notes when reading the drafts from here and the W3C as potential problem areas. Maybe there are things I've missed in the drafts that address them, but I think they are still worth thinking about. Some of these are more W3C, but we seem to be in charge of the security. These issues vary widely in seriousness. One of them is a demonstrated break of confidentiality, while several are open questions about how we communicate to users. … > Problem 7: VBR privacy leaks > > I can do no better then to refer to the paper. http://www.infsec.cs.uni-saarland.de/teaching/WS08/Seminar/reports/yes-we-can.pdf Spoken phrases could be identified from encrypted data alone, using a Hidden Markov Model when the length of packets was preserved by the encryption. The security considerations in draft-ietf-rtcweb-rtp-usage-12 refer to RFC 6562, which I believe gives recommendations to address this. Colin > Conclusion: > Some of these issues result from well-known problems in older protocols. Others are longstanding difficult problems that have to be solved. Some are quite dangerous, while others will only permit the occasional prank. However, it is not enough to fix these specifically. Large areas of the proposal have not been explored by me. If I had to rate these by seriousness, problem 3 and 7 are the worst. They are luckily the easiest to fix. > > Sincerely, > Watson Ladd > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb -- Colin Perkins http://csperkins.org/
- [rtcweb] Areas of security concern Watson Ladd
- Re: [rtcweb] Areas of security concern Colin Perkins
- Re: [rtcweb] Areas of security concern John Mattsson
- Re: [rtcweb] Areas of security concern Eric Rescorla
- Re: [rtcweb] Areas of security concern Watson Ladd