IETF Logo Mail Archive

Re: [rtcweb] SRTP not mandatory-to-use

Oscar Ohlsson <oscar.ohlsson@ericsson.com> Thu, 12 January 2012 21:42 UTC

Return-Path: <oscar.ohlsson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0767421F8624 for <rtcweb@ietfa.amsl.com>; Thu, 12 Jan 2012 13:42:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6b3MHqYisbIr for <rtcweb@ietfa.amsl.com>; Thu, 12 Jan 2012 13:42:28 -0800 (PST)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by ietfa.amsl.com (Postfix) with ESMTP id 269B421F8603 for <rtcweb@ietf.org>; Thu, 12 Jan 2012 13:42:27 -0800 (PST)
X-AuditID: c1b4fb39-b7b3eae00000252a-ed-4f0f53bec398
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id 89.FD.09514.EB35F0F4; Thu, 12 Jan 2012 22:42:22 +0100 (CET)
Received: from ESESSCMS0360.eemea.ericsson.se ([169.254.1.39]) by esessmw0237.eemea.ericsson.se ([153.88.115.90]) with mapi; Thu, 12 Jan 2012 22:42:22 +0100
From: Oscar Ohlsson <oscar.ohlsson@ericsson.com>
To: Randell Jesup <randell-ietf@jesup.org>
Date: Thu, 12 Jan 2012 22:42:20 +0100
Thread-Topic: [rtcweb] SRTP not mandatory-to-use
Thread-Index: AczQs5vpTXZmEjB2S+60FT04+bQtOwAvsdEQ
Message-ID: <A1B638D2082DEA4092A268AA8BEF294D193F92BE22@ESESSCMS0360.eemea.ericsson.se>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com> <BLU152-W1140980759D89AC3C1D0CA93940@phx.gbl> <CA+9kkMBdX7YT1tPj5M3VrzAPKa6tXNGZVvvhjW9V4oOEC7g_kA@mail.gmail.com> <CAOJ7v-1_qMoHBb3K7rV=hG9EadqL=xn4KEdG0zdWnKZU9_TipQ@mail.gmail.com> <4AEFFC17-EF17-40F2-B83B-0B0CC44AD2C3@cisco.com> <CAKhHsXEes+Lf+uKdTrjXoy+3PMy2uNumNL-W-0s4_xRXW6FiZg@mail.gmail.com> <4F0CAC8C.8010203@wonderhamster.org> <1D062974A4845E4D8A343C6538049202074ABD3A@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCF907@inba-mail02.sonusnet.com> <CALiegfkejnU2rTe-FibUVxTrRS9SivkhGXB5eK+FhD8Vu6iTMA@mail.gmail.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCF9FC@inba-mail02.sonusnet.com> <CALiegfn07bS58B+4ZyzRTnO4LCpw1e96dnqpSM+TT1y3QG2Zwg@mail.gmail.com> <387F9047F55E8C42850AD6B3A7A03C6C01DCFBC1@inba-mail02.sonusnet.com> <CAOJ7v-20+yL7r+_ODx_czHTiujXZZWESaZRB7MQjhvScg3RFtw@mail.gmail.com> <4F0DFD0B.2000009@jesup.org> <CABcZeBMnkO-hd3DtKNtxq5knUb=bd7ZEMNKVUX8WBLqLKkU14Q@mail.gmail.c om> <4F0E125D.8000605@jesup.org>
In-Reply-To: <4F0E125D.8000605@jesup.org>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sv-SE, en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2012 21:42:29 -0000

 
Randall said:

> I'd like to explore the possibility of making sure there's a 
> workable DTLS-SRTP implementation openly available, and 
> locking WebRTC down to that only.
> 
> If we use SDES, we're effectively trusting the JS app (and 
> website) to a very large extent.  (Not to turn on the 
> camera/mic, but with the contents of all conversations.)  It 
> also means bid-down to SDES is trivial.  I'm not sure what 
> this would mean to identity validation via BrowserID or 
> others (ekr?); that might survive this, but it means media 
> could be decrypted in realtime or later if anyone has copies 
> of the packets and can get the key from the app/website.

As has been pointed out many times before it is not significantly harder to eavesdrop on a SDES call than a DTLS-SRTP call. When comparing SDES to DTLS-SRTP the comparison should really be made with plain DTLS-SRTP without key continuity or the new identity mechanism.

There are a number of reasons why key continuity doesn't work in a web context. EKR mention the problem of multiple browsers but there are other issues as well (e.g., public key not bound to an id, an increasing amount of public keys stored over time, anonymous users with one time public keys, etc). It is therefore unlikely that the user will react if the peer's fingerprint is replaced by the web application.

The new identity mechanism doesn't help eiter unless it is made mandatory to use. In the same way as the web application can downgrade from DTLS-SRTP to SDES it can downgrade from DTLS-SRTP+identity to plain DTLS-SRTP. I doubt that the identity mechanism can be made mandatory since:

(1) Many web applications do not want to depend on external identity providers
(2) Some users do not have any identity provider account
(3) Many web applications are already trusted by the user
(4) Users may not always want to reveal their identity
(5) Working out all the details of the identity mechanism will take time

Protecting ourselves against the web application would also require disabling (or at least require user consent for) lots of useful JavaScript functionality (e.g. forwarding, manipulation, or recording of streams). The bottom line is that (except in the case of security aware users) the web application will be able to eavesdrop on calls.

I know that logging and cross-site scripting has been pointed out as potential vulnerabilities for SDES. These two problems should be properly analyzed but let's defer that discussion for now. 

Regards,

Oscar Ohlsson

v2.23.0 | Report a Bug | By Email