Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)

Harald Alvestrand <harald@alvestrand.no> Fri, 11 November 2011 07:14 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 895E11F0C5F for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 23:14:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kWs1SwtOTmQa for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 23:14:12 -0800 (PST)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id DE8031F0C35 for <rtcweb@ietf.org>; Thu, 10 Nov 2011 23:14:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 022EB39E12F; Fri, 11 Nov 2011 08:14:11 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaXsBPpPKN+b; Fri, 11 Nov 2011 08:14:10 +0100 (CET)
Received: from [192.168.0.14] (c213-89-141-213.bredband.comhem.se [213.89.141.213]) by eikenes.alvestrand.no (Postfix) with ESMTPS id 6E10B39E048; Fri, 11 Nov 2011 08:14:10 +0100 (CET)
Message-ID: <4EBCCB42.8040100@alvestrand.no>
Date: Fri, 11 Nov 2011 08:14:10 +0100
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Roman Shpount <roman@telurix.com>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <1D062974A4845E4D8A343C653804920206D3B7FD@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C0134A105@inba-mail01.sonusnet.com> <1F2A2C70609D9E41844A2126145FC09804691DA2@HKGMBOXPRD22.polycom.com> <CALiegfmf59jb4asUu9LA6YY_aMtKEnM1Wy34KbuLEn3_h1xBXA@mail.gmail.com> <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com> <1D062974A4845E4D8A343C653804920206D3BA57@XMB-BGL-414.cisco.com> <CALiegfkWnRT8m4S9pXTxuLsc-p_bhkG3d=PX3qgiFFt5gW5yfw@mail.gmail.com> <CAD5OKxvQYVKOZF88WLCiRseg-qXQdOpKeDU_t9b-yA2GcDBT-w@mail.gmail.com> <CABcZeBOiPxz_swdaG6Aqoch1WAUtjNh4eOQy1QObCDXT_B8azg@mail.gmail.com> <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail.com> <4EBC3475.90706@alvestrand.no> <CAD5OKxu_-+ZRsqpUBkFSj=tYtOKG0pK3JoQTZHwQGMuBCnp0Gw@mail.gmail.com> <4EBC4401.2090703@alvestrand.no> <CAD5OKxuaWJ3SBv+0gac6EQy6-Lsb-LS_SBXk5FqObKy4mN6wNg@mail.gmail.com>
In-Reply-To: <CAD5OKxuaWJ3SBv+0gac6EQy6-Lsb-LS_SBXk5FqObKy4mN6wNg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2011 07:14:12 -0000

On 11/10/2011 11:07 PM, Roman Shpount wrote:
>
> These arguments are not very strong and would not prevent WebRTC from 
> being used (except the illegal part). My main problem is that 
> mandatory encryption is not serving any useful purpose. I strongly 
> oppose the illusion of security when communications are not secure. If 
> an application is delivered over HTTP, the fact that media is 
> encrypted is irrelevant and provides no useful security. There is a 
> duality about web based applications with HTTP and HTTPS. I think 
> WebRTC should reflect this. 
I still don't get this. The same logic would say that there's no reason 
to use WPA for your home wireless network as long as you're only sending 
HTTP. Firesheep to the rescue.

Encryption of the media path protects you against *some* of the 
attackers *some* of the time.
Only a solidly designed end-to-end-protected mechanism, including safe 
storage of keying materials in locations where zero-day exploits can't 
get at them, will protect you against *all* the attackers *all* of the 
time (as long as the attackers didn't make your hardware, OS or 
application).

> There is a working model present for HTTP applications already (secure 
> document -- secure communications, insecure document -- insecure 
> communications), so I do not see the reason to break it.
I don't see that one working, either. Witness the number of HTTP sites 
that use HTTPS form submission (the document's vulnerable to attacker, 
yet sent over a trusted path), or the number of times my Chrome warns me 
about mixed content from well-renowned sites.

The current ecosystem is an out-and-out muddle, not a clean model. And 
the exploits are rife.