Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)

Harald Alvestrand <> Thu, 10 November 2011 21:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6B8081F0C3E for <>; Thu, 10 Nov 2011 13:37:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qypXY3npNztP for <>; Thu, 10 Nov 2011 13:37:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3E09A1F0C38 for <>; Thu, 10 Nov 2011 13:37:07 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 84D2539E148; Thu, 10 Nov 2011 22:37:06 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c31scDj5NldO; Thu, 10 Nov 2011 22:37:05 +0100 (CET)
Received: from [] ( []) by (Postfix) with ESMTPS id ACEF539E089; Thu, 10 Nov 2011 22:37:05 +0100 (CET)
Message-ID: <>
Date: Thu, 10 Nov 2011 22:37:05 +0100
From: Harald Alvestrand <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Roman Shpount <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------030108050907080104020901"
Subject: Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Nov 2011 21:37:08 -0000

On 11/10/2011 09:51 PM, Roman Shpount wrote:
> On Thu, Nov 10, 2011 at 3:30 PM, Harald Alvestrand 
> < <>> wrote:
>     (BTW, Google searches did not immediately bring up verification
>     for that claim of 99% of Web traffic being HTTP.... do you have a
>     citation for that?)
> Not really, this is just an estimate. Some fact point for you -- 
> facebook is HTTP and that is about 25% of web page visits.
Facts are slippery things. Facebook offers an option to have HTTPS 
always, so every hit from my account on Facebook is HTTPS, not HTTP.
> Youtube is HTTP also and that's about 7%. 
> (
> I think the whole discussion degraded to the point of being pointless. 
> You say that you need mandatory encryption regardless of what I am saying.
Not really what I was saying.

Since you dragged in the division of traffic between HTTP and HTTPS as 
an argument, I thought I'd state an absolutist position too. That's 
different from what I am looking for when seeking consensus. For some 
reasons why I hold that position, I recommend "Little Brother" by Cory 
Doctorow. It's a fun read.
> I would not agree to mandatory encryption unless you explain to me why 
> this is not something that WebRTC application developer should not 
> control.
I am still waiting for a compelling argument for why the application 
developer *needs* to be able to run without encryption.
So far, we've heard arguments that:

- encryption uses more CPU (true, but arguably not significant compared 
to media processing)
- It is needed for legacy interoperability (may be true for some, but 
not necessarily compelling)
- It helps debugging (which has been disputed by people who debug systems)

Did I miss some?

The ability to turn off encryption increases the opportunity for attacks 
on services that *want* to be secure (bid-down attacks); I think that's 

> Application developer can circumvent media security in any way he 
> wants (by sending it to a middle box and recording for example), so I 
> really do not understand why he cannot just turn the encryption off. 
> On the web, where origin of applications can be unknown, their 
> integrity uncertain, delivery un-secure, and purpose unpredictable, I 
> do not understand why you insist on mandatory encryption. It will not 
> provide more security, will just restrict things for no real gain.
And I pursue the argument from the other end: Given that encryption is 
available, and the cost mostly negligible, what is the value of turning 
it *off*?

All that said .... I'm able to live with having the RTCWEB standard 
suite say "mandatory to implement, not mandatory to use". I just think 
the arguments for doing so are weak.