Re: [rtcweb] SRTP and "marketing"

Roman Shpount <roman@telurix.com> Thu, 29 March 2012 06:45 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A64C021E80E2 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.835
X-Spam-Level:
X-Spam-Status: No, score=-2.835 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTEcfY5k4eX6 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 23:45:58 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9A79D21E80E6 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:45:58 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so3024028pbb.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:45:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=lrwrCxE7y9nvXTzh4+XQ1uos2n6FS09buQggkkPpbhk=; b=Ji+raQ1cWi/GUcp+NoCDkepyKvHrJ4NZSS9SVhdZCyHKlKT0pEwvvlbDsFEuc8AswL V27JML1VgtFZJXgKpA35UCOUIqvWGfxaGe92pdClfBbMnnvE6kG7KE6j71fkEeyLmf2M 2YqGkh/8j/tT5iBUnpP5NlK/ueQ72zQyxJ8xQFGhwRxffqxzxEOObTabb/kvWhqGB/7X GX1x2+VOs+i59NttKA+xsy6eY3SWhUyt1gHrC08XzqhoTcv24n23jC90nT1RZu0cFEV/ VYATj/RAL5HRwEnDTERn8dhPKRJBPqumDabelALdntHLK06i1zWxyoXCYddjGOjQ04vC Z+vQ==
Received: by 10.68.224.99 with SMTP id rb3mr12271767pbc.79.1333003557562; Wed, 28 Mar 2012 23:45:57 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by mx.google.com with ESMTPS id p5sm4365044pbd.15.2012.03.28.23.45.56 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 28 Mar 2012 23:45:56 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so3023985pbb.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 23:45:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.132.99 with SMTP id ot3mr3176345pbb.160.1333003556016; Wed, 28 Mar 2012 23:45:56 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Wed, 28 Mar 2012 23:45:55 -0700 (PDT)
In-Reply-To: <4F7400C7.6070605@infosecurity.ch>
References: <4F72D6B3.40803@bbn.com> <5D67671F-417C-4C78-A560-0B16AC65E4E2@acmepacket.com> <4F73C929.9010900@mozilla.com> <CAD5OKxv_w90BsfH2unftkwxaFKN9SXR1ew16WbM26YapKNzrOQ@mail.gmail.com> <4F7400C7.6070605@infosecurity.ch>
Date: Thu, 29 Mar 2012 02:45:55 -0400
Message-ID: <CAD5OKxtqkLJ4x-qXPxsvRRgjkAn-DkCeLts79fHO8_j0E9R27g@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
Content-Type: multipart/alternative; boundary=047d7b15a68b70d2b504bc5c13fd
X-Gm-Message-State: ALoCoQlyvlc3jJ2x67w+GQD1eEtoIKm+MFyQRI1A53dXZJP/aOPdTo5ilT/gYL93Qcx4PMd7jGU7
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SRTP and "marketing"
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 06:45:59 -0000

On Thu, Mar 29, 2012 at 2:27 AM, Fabio Pietrosanti (naif) <
lists@infosecurity.ch> wrote:

> On 3/29/12 7:42 AM, Roman Shpount wrote:
> > I actually believe that if sufficient
> > monitoring constraints are not build into a browser (not to record but
> > at least to monitor who the browser is exchanging data with and using
> > what protocols), WebRTC would be simply disabled in most enterprises as
> > a security risk.
>
> Your concern would be addressed by the use of SDES-SRTP rather than
> DTLS-SRTP.
>
> SDES-SRTP would provide, in the context of WebRTC, the transport of SDES
> key over HTTP(S) and so would let all existing methods for HTTP/HTTPS
> inspection to works fine.
>
> Technology for inspection of HTTP/HTTPS traffic already exists, are
> widely deployed and so if we transport keying material over HTTP (with
> SDES-SRTP), all Enterprises will already have their existing
> infrastructure in-place.
>

I am not sure I would agree with this. In order for what you propose to
work there is a need for a reliable mechanism to extract SDP from
HTTP/HTTPS traffic. This is not as simple as you would think, since
JavaScript application can use any custom protocol to transmit the SDP
data. It can, for instance, even implement encryption in JavaScript that
will encode SDP using user supplied key, which would make SDP extraction
impossible. In order to implement such inspection we need to have some sort
of hook in the browser that allows an external entity to intercept and
examine all the SDP being passed to and from WebRTC. Without such hook
there is no benefit to SDES. With such hook there is no downside to DTLS.
_____________
Roman Shpount