Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)

Iñaki Baz Castillo <ibc@aliax.net> Tue, 27 September 2011 20:02 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE98621F8F6D for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 13:02:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.336
X-Spam-Level:
X-Spam-Status: No, score=-2.336 tagged_above=-999 required=5 tests=[AWL=-0.259, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_43=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7IdbFVgMFZV for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 13:02:26 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id B8B0721F8F6B for <rtcweb@ietf.org>; Tue, 27 Sep 2011 13:02:26 -0700 (PDT)
Received: by vcbfo11 with SMTP id fo11so5726387vcb.31 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 13:05:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.120.12 with SMTP id b12mr2378003vcr.111.1317153912632; Tue, 27 Sep 2011 13:05:12 -0700 (PDT)
Received: by 10.220.118.143 with HTTP; Tue, 27 Sep 2011 13:05:12 -0700 (PDT)
In-Reply-To: <4E821E47.4080205@alvestrand.no>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <2E239D6FCD033C4BAF15F386A979BF510F1087@sonusinmail02.sonusnet.com> <BLU152-W62B7F2AC3F0D5B6E277CB993F00@phx.gbl> <CAD5OKxt=P3jg9N0weFUZLvUYQxyeXa+9YMtpc8wn7osuPQmTpg@mail.gmail.com> <CAD5OKxtVCgiFV_iAYd1w0uZZcS5+gsixOHJ0jGN=0CMdq++kdg@mail.gmail.com> <CAOJ7v-3PrnNyesL+x-mto9Q9djjiJ13QZHXCiGfY1mv3nubrqQ@mail.gmail.com> <CAD5OKxsKTHCuBQdUnGQtGfF7NmZZExLe9Q9B9cNR=483neuHPQ@mail.gmail.com> <CAOJ7v-1rzdmviAnGknVZmrU_TDNoC3NmWd1g6iyx0WzZ4xB3Pw@mail.gmail.com> <4E820825.9090101@skype.net> <CAD5OKxvmKi3Py0gNcTdREdfS07hA-=f6L+u8KKVgSWztMft9kQ@mail.gmail.com> <CALiegfmL4VSRE+kgs5kXzQc3mCHnKpU-EAbVPKO4QNEYLKje=A@mail.gmail.com> <4E821E47.4080205@alvestrand.no>
Date: Tue, 27 Sep 2011 22:05:12 +0200
Message-ID: <CALiegfndBhod6Hoq6h63795x8f=ew28rDys=Fx8ScwVpVJwp1Q@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 20:02:27 -0000

2011/9/27 Harald Alvestrand <harald@alvestrand.no>:
> The current assumption is that browsers will get Javascript from multiple
> sources, some of which will be malicious. Malicious sources cannot be
> allowed to initiate sessions without ICE, for all the reasons given in the
> "security" I-D.
>
> Before we can even consider relaxing the ICE requirement, we need to see a
> trust model formulated for who gets to decide, for a particular piece of
> Javascript, if it's allowed to operate within a relaxed trust model.
>
> So far, I have seen no such proposals. Can you who argue for this solution
> please go away and write a draft that describes one, instead of repeating
> "+1" without any new solutions?

Hi Harald. Don't take me wrong, I understand the security requeriments
and I agree with them. But I think that it would be a bit sad that
WebRTC model cannot interoperate with most of the current SIP
deployments.

Anyhow, I also think that this is the price that people involved in
SIP must pay for our laziness implementing security specifications
*already* standarized for SIP and RTP protocols.

The fact is that SIP is mostly deployed in the following scenarios:
- In local networks with an internal SIP PBX and SIP phones.
- In SIP-PSTN SIP providers.
- In operators internal infrastructure and intercommunication with
other operators.

All these scenarios can be considered "trusted" (more or less) as the
user does never talk SIP with an external unknown user. So they are
mostly "wallen gardens".

Of course this is not the case in pure Internet in which most of the
WebRTC deployments will exist, so I agree that security is more
important than compatibility with legacy SIP networks, even more when
those legacy SIP networks have no cared about security.


Anyhow, I still think that local policy (rather than mandating
SRTP+ICE in the spec) could make sense. As I've said in some other
thread, a malicious provider could invite the user (the web visitor)
to make a call to some "number" or "destination" controlled by the
malicious provider. The destination could implement SRTP+ICE so the
communication "seems secure", but nothing prevents the malicious
provider to record the video session and upload it to Youtube. It's
more or less than expecting that HTTPS solves Phishing problem in the
web (it does not).

In the same way, web browsers could come pre-configured with an
enabled checkbox:

  [X] don't allow unsecure calls

The user could disable such checkbox. Anyhow, when a call is being
established and the WebRTC stack realizes that the peer does not
support ICE and/or SRTP, it could warn the user by showing something
like a pop-up ("This call is not secure"), also providing a button
"Don't show again for this site".

I don't know if this could be enough.

Regards.



-- 
Iñaki Baz Castillo
<ibc@aliax.net>