Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)

[Harald Alvestrand <harald@alvestrand.no>]

On 11/10/2011 09:51 PM, Roman Shpount wrote:
>
> On Thu, Nov 10, 2011 at 3:30 PM, Harald Alvestrand 
> <harald@alvestrand.no <mailto:harald@alvestrand.no>> wrote:
>
>     (BTW, Google searches did not immediately bring up verification
>     for that claim of 99% of Web traffic being HTTP.... do you have a
>     citation for that?)
>
>
> Not really, this is just an estimate. Some fact point for you -- 
> facebook is HTTP and that is about 25% of web page visits.
Facts are slippery things. Facebook offers an option to have HTTPS 
always, so every hit from my account on Facebook is HTTPS, not HTTP.
> Youtube is HTTP also and that's about 7%. 
> (http://weblogs.hitwise.com/heather-dougherty/2010/11/facebookcom_generates_nearly_1_1.html)
> I think the whole discussion degraded to the point of being pointless. 
> You say that you need mandatory encryption regardless of what I am saying.
Not really what I was saying.

Since you dragged in the division of traffic between HTTP and HTTPS as 
an argument, I thought I'd state an absolutist position too. That's 
different from what I am looking for when seeking consensus. For some 
reasons why I hold that position, I recommend "Little Brother" by Cory 
Doctorow. It's a fun read.
> I would not agree to mandatory encryption unless you explain to me why 
> this is not something that WebRTC application developer should not 
> control.
I am still waiting for a compelling argument for why the application 
developer *needs* to be able to run without encryption.
So far, we've heard arguments that:

- encryption uses more CPU (true, but arguably not significant compared 
to media processing)
- It is needed for legacy interoperability (may be true for some, but 
not necessarily compelling)
- It helps debugging (which has been disputed by people who debug systems)

Did I miss some?

The ability to turn off encryption increases the opportunity for attacks 
on services that *want* to be secure (bid-down attacks); I think that's 
uncontroversial.

> Application developer can circumvent media security in any way he 
> wants (by sending it to a middle box and recording for example), so I 
> really do not understand why he cannot just turn the encryption off. 
> On the web, where origin of applications can be unknown, their 
> integrity uncertain, delivery un-secure, and purpose unpredictable, I 
> do not understand why you insist on mandatory encryption. It will not 
> provide more security, will just restrict things for no real gain.
And I pursue the argument from the other end: Given that encryption is 
available, and the cost mostly negligible, what is the value of turning 
it *off*?

All that said .... I'm able to live with having the RTCWEB standard 
suite say "mandatory to implement, not mandatory to use". I just think 
the arguments for doing so are weak.