Re: [rtcweb] SRTP and "marketing"
Roman Shpount <roman@telurix.com> Thu, 29 March 2012 06:45 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A64C021E80E2 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.835
X-Spam-Level:
X-Spam-Status: No, score=-2.835 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTEcfY5k4eX6 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:45:58 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9A79D21E80E6 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:45:58 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so3024028pbb.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:45:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=lrwrCxE7y9nvXTzh4+XQ1uos2n6FS09buQggkkPpbhk=; b=Ji+raQ1cWi/GUcp+NoCDkepyKvHrJ4NZSS9SVhdZCyHKlKT0pEwvvlbDsFEuc8AswL V27JML1VgtFZJXgKpA35UCOUIqvWGfxaGe92pdClfBbMnnvE6kG7KE6j71fkEeyLmf2M 2YqGkh/8j/tT5iBUnpP5NlK/ueQ72zQyxJ8xQFGhwRxffqxzxEOObTabb/kvWhqGB/7X GX1x2+VOs+i59NttKA+xsy6eY3SWhUyt1gHrC08XzqhoTcv24n23jC90nT1RZu0cFEV/ VYATj/RAL5HRwEnDTERn8dhPKRJBPqumDabelALdntHLK06i1zWxyoXCYddjGOjQ04vC Z+vQ==
Received: by 10.68.224.99 with SMTP id rb3mr12271767pbc.79.1333003557562; Wed, 28 Mar 2012 23:45:57 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by mx.google.com with ESMTPS id p5sm4365044pbd.15.2012.03.28.23.45.56 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 28 Mar 2012 23:45:56 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so3023985pbb.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:45:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.132.99 with SMTP id ot3mr3176345pbb.160.1333003556016; Wed, 28 Mar 2012 23:45:56 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Wed, 28 Mar 2012 23:45:55 -0700 (PDT)
In-Reply-To: <4F7400C7.6070605@infosecurity.ch>
References: <4F72D6B3.40803@bbn.com> <5D67671F-417C-4C78-A560-0B16AC65E4E2@acmepacket.com> <4F73C929.9010900@mozilla.com> <CAD5OKxv_w90BsfH2unftkwxaFKN9SXR1ew16WbM26YapKNzrOQ@mail.gmail.com> <4F7400C7.6070605@infosecurity.ch>
Date: Thu, 29 Mar 2012 02:45:55 -0400
Message-ID: <CAD5OKxtqkLJ4x-qXPxsvRRgjkAn-DkCeLts79fHO8_j0E9R27g@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
Content-Type: multipart/alternative; boundary="047d7b15a68b70d2b504bc5c13fd"
X-Gm-Message-State: ALoCoQlyvlc3jJ2x67w+GQD1eEtoIKm+MFyQRI1A53dXZJP/aOPdTo5ilT/gYL93Qcx4PMd7jGU7
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SRTP and "marketing"
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 06:45:59 -0000
On Thu, Mar 29, 2012 at 2:27 AM, Fabio Pietrosanti (naif) < lists@infosecurity.ch> wrote: > On 3/29/12 7:42 AM, Roman Shpount wrote: > > I actually believe that if sufficient > > monitoring constraints are not build into a browser (not to record but > > at least to monitor who the browser is exchanging data with and using > > what protocols), WebRTC would be simply disabled in most enterprises as > > a security risk. > > Your concern would be addressed by the use of SDES-SRTP rather than > DTLS-SRTP. > > SDES-SRTP would provide, in the context of WebRTC, the transport of SDES > key over HTTP(S) and so would let all existing methods for HTTP/HTTPS > inspection to works fine. > > Technology for inspection of HTTP/HTTPS traffic already exists, are > widely deployed and so if we transport keying material over HTTP (with > SDES-SRTP), all Enterprises will already have their existing > infrastructure in-place. > I am not sure I would agree with this. In order for what you propose to work there is a need for a reliable mechanism to extract SDP from HTTP/HTTPS traffic. This is not as simple as you would think, since JavaScript application can use any custom protocol to transmit the SDP data. It can, for instance, even implement encryption in JavaScript that will encode SDP using user supplied key, which would make SDP extraction impossible. In order to implement such inspection we need to have some sort of hook in the browser that allows an external entity to intercept and examine all the SDP being passed to and from WebRTC. Without such hook there is no benefit to SDES. With such hook there is no downside to DTLS. _____________ Roman Shpount
- [rtcweb] SRTP and "marketing" Richard L. Barnes
- Re: [rtcweb] SRTP and "marketing" Harald Alvestrand
- Re: [rtcweb] SRTP and "marketing" Richard L. Barnes
- Re: [rtcweb] SRTP and "marketing" Mahalingam Mani
- [rtcweb] Identity and authorities (Re: SRTP and "… Harald Alvestrand
- Re: [rtcweb] SRTP and "marketing" Basil Mohamed Gohar
- Re: [rtcweb] SRTP and "marketing" Dan Wing
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Jim Barnett
- Re: [rtcweb] SRTP and "marketing" Randell Jesup
- Re: [rtcweb] SRTP and "marketing" Timothy B. Terriberry
- Re: [rtcweb] SRTP and "marketing" Roman Shpount
- Re: [rtcweb] SRTP and "marketing" Fabio Pietrosanti (naif)
- Re: [rtcweb] SRTP and "marketing" Fabio Pietrosanti (naif)
- Re: [rtcweb] SRTP and "marketing" Fabio Pietrosanti (naif)
- Re: [rtcweb] SRTP and "marketing" Roman Shpount
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Dan Wing
- Re: [rtcweb] SRTP and "marketing" Randell Jesup
- Re: [rtcweb] SRTP and "marketing" Timothy B. Terriberry
- Re: [rtcweb] SRTP and "marketing" Hadriel Kaplan
- Re: [rtcweb] SRTP and "marketing" Gregory Maxwell
- Re: [rtcweb] SRTP and "marketing" Oscar Ohlsson