IETF Logo Mail Archive

Re: [rtcweb] Resolving RTP/SDES question in Paris

Roman Shpount <roman@telurix.com> Tue, 20 March 2012 16:10 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5880021F85AE for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 09:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.78
X-Spam-Level:
X-Spam-Status: No, score=-2.78 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J24LzRPHM414 for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 09:10:20 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id AFC8221F8595 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 09:10:20 -0700 (PDT)
Received: by dakl33 with SMTP id l33so212997dak.31 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 09:10:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=Ofyoq0ssUvEVVcD+RPli7aiqYRMQWu332TvlMIs32gA=; b=gcJ+UTToWtZQ7OVqppUEIR639rLYoW1DZTkwwDarJA7oRAdtdM5250sOqvAK1zgqj7 iLIe9JhjFVXdzNjskRgluDb0VN17Q9k537HO3gwRdDkLnLNLkRBn6TPDPQvEIqvZDIlI 0p/odUkm3IQmVE4T/gfOhT6pS16HdHZPvd3ClbDhrHVsYETEBUld2Lukr0HzExyRcIrW pKm42FVDExmF0vo4KUhG55okB65BKD/sGZ+fOkyLq7gjogWyZ4t4IqvlEdUYSFU1LFKI 2RKtZVh8gPiaN22ToPUCIdRg6vYtUkhItyoPzk2gmoB4qwiYpA54wVb0iLF6eEVOTHed 3H4A==
Received: by 10.68.191.230 with SMTP id hb6mr2544126pbc.87.1332259820512; Tue, 20 Mar 2012 09:10:20 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx.google.com with ESMTPS id l1sm1587553pbs.34.2012.03.20.09.10.19 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 20 Mar 2012 09:10:19 -0700 (PDT)
Received: by dakl33 with SMTP id l33so212942dak.31 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 09:10:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.132.99 with SMTP id ot3mr2318826pbb.160.1332259818376; Tue, 20 Mar 2012 09:10:18 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Tue, 20 Mar 2012 09:10:18 -0700 (PDT)
In-Reply-To: <4F68A4CC.9090306@alvestrand.no>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <4F64FE98.3070605@alcatel-lucent.com> <4F685ED9.2050109@alvestrand.no> <CAD5OKxsVp7px9bHAgxgdqPMxRgppcVUDKt8JHBhyq9qqW3pAMg@mail.gmail.com> <4F68A4CC.9090306@alvestrand.no>
Date: Tue, 20 Mar 2012 12:10:18 -0400
Message-ID: <CAD5OKxuiApLKRASc2YuBfkM_8h8wGDPPQ3TdOYGum2yauidA5A@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: multipart/alternative; boundary="047d7b15a68b390dda04bbaee97b"
X-Gm-Message-State: ALoCoQlrAPf1QOybdKW9ofyUbyz0eNFDDtH8ewkBeB86Jc4X99VCxI9OdT4S4+a+NSJChW06Y6kz
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2012 16:10:21 -0000

On Tue, Mar 20, 2012 at 11:39 AM, Harald Alvestrand <harald@alvestrand.no>wrote:

> **
> On 03/20/2012 02:40 PM, Roman Shpount wrote:
>
> Once again, I understand how this helps in case of HTTPS, but how would
> this help in case of WebRTC? Media description is carried in some sort of
> application defined protocol (can even be transmitted over an encrypted
> SCTP data channel or encrypted in javaScript), so monitoring proxy cannot
> reliably modify it. I understand how it can be allowed to fake the
> signature on modified SDP by inserting a certificate in the browser, but
> how would the proxy get to the SDP in the first place?
>
>
> "this" = inserting a trust root in the browser?
>
> Once you trust the root I inserted, I can intercept all your HTTPS
> connections, and thus I can replace all the Javascript you think you are
> loading from your trusted provider with Javascript of my choice.
>
> Once your browser is running my Javascript, I can do anything the original
> application could - with the privilleges you granted to that application.
>
> I think that's more or less "game over" when it comes to security.
>
>
"this" is inserting the root certificate. It is a game over as far as
security is concerned, but the rest of your email completely missing my
point.

If, as an owner of a computer, you want to enable media monitoring with an
existing standard you need to know exactly how each application is
implemented. This is a solution for hacker but not the normal enterprise.
In order to have monitoring support in the enterprise environment you need
an ability to force the browser to proxy all the media through a monitoring
application without any application modification, via browser settings
alone.
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email