IETF Logo Mail Archive

Re: [rtcweb] Resolving RTP/SDES question in Paris

Roman Shpount <roman@telurix.com> Mon, 19 March 2012 02:20 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B88921F8525 for <rtcweb@ietfa.amsl.com>; Sun, 18 Mar 2012 19:20:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.724
X-Spam-Level:
X-Spam-Status: No, score=-2.724 tagged_above=-999 required=5 tests=[AWL=0.252, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LN4O7Tyu9PG5 for <rtcweb@ietfa.amsl.com>; Sun, 18 Mar 2012 19:20:41 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id 05F2C21F8512 for <rtcweb@ietf.org>; Sun, 18 Mar 2012 19:20:39 -0700 (PDT)
Received: by dakl33 with SMTP id l33so10201482dak.31 for <rtcweb@ietf.org>; Sun, 18 Mar 2012 19:20:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=cPjlqGJ7tMJPzDx3fRzF8iwLBcLhHZGUrO9Rt7+Fu04=; b=HaJU/DWwviXT44V4bTb0urh2Bh6PfxTLcQFQ8MaaKm1o42ifnz3Kg+7oBXnhdk5Bmi KzucBtkzC6Mp/BJoxXyRiFEEesUFNm6PrOfQjugZE7sLHL0Lf6wJrvbYxVOfVsGpjVak 8m5LaQRojuFoWPE/f/kqcStFyqmG1tRdviCuCECPwiauAFLyY4YHpqpqzS8DqDVE3WUv j427WPGgYWeXqNyOO1ndo+FICmNh6X7QrJwFOvfQla0v8mE9Bi4WXmDX4qKQEwOow+Om pHjM5E/8h9SzXfAUlMJj/x0Ji5aSbRuCcE85vlpZvva4uLidKFwfBplXs3p0nfysARNS 9EpA==
Received: by 10.68.192.36 with SMTP id hd4mr8869995pbc.54.1332123639603; Sun, 18 Mar 2012 19:20:39 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx.google.com with ESMTPS id 3sm7209552pbf.47.2012.03.18.19.20.37 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 18 Mar 2012 19:20:38 -0700 (PDT)
Received: by dakl33 with SMTP id l33so10201424dak.31 for <rtcweb@ietf.org>; Sun, 18 Mar 2012 19:20:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.201.98 with SMTP id jz2mr35192052pbc.97.1332123636641; Sun, 18 Mar 2012 19:20:36 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Sun, 18 Mar 2012 19:20:36 -0700 (PDT)
In-Reply-To: <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com>
Date: Sun, 18 Mar 2012 22:20:36 -0400
Message-ID: <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b15aee928ae3e04bb8f3448"
X-Gm-Message-State: ALoCoQktwlvS/m226KQLDnrOxLOXEfL/kbJ0oIkMr//cfS48270Wfw8Oa1unP6YoQ/33BzYGpNjJ
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 02:20:42 -0000

On Sat, Mar 17, 2012 at 4:45 PM, Martin Thomson <martin.thomson@gmail.com>wrote:

> This isn't that hard.  I run an intercepting proxy that offers its own
> certificate.  Then I explicitly place a trust anchor for that
> certificate in your browser.  The proxy is then able to intercept any
> encrypted traffic it chooses to.  The proxy does two lots of crypto
> work, but that's not as much of a big deal as you might think.
>
> No protocol changes at all.  The proxy might need to do more work to
> convince you that the identity hasn't been replaced (swap itself in as
> the identity provider, for example), but anything is possible once it
> is "trusted".
>
>
I understand how this will work with HTTPS, but how would this work with
WebRTC? Signaling is traveling over some separate path withing a websocket
or some other HTTP-based encapsulating protocol. Keys/Key signatures are
part of this signaling, which is almost impossible to intercept, even if
you have access to all HTTP(S) traffic, since each application can define
the protocol being used. Intercepting proxy needs access to this info, or
it cannot decode the media or spoof the signatures. Unless I am missing
something, client needs to send the SDP to the proxy and get the modified
SDP back, which probably requires some sort of network protocol.
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email