Re: [rtcweb] Comments on draft-ietf-rtcweb-data-channel-07
Randell Jesup <randell-ietf@jesup.org> Tue, 25 February 2014 22:00 UTC
Return-Path: <randell-ietf@jesup.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83BFB1A07A5 for <rtcweb@ietfa.amsl.com>; Tue, 25 Feb 2014 14:00:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.5
X-Spam-Level: *
X-Spam-Status: No, score=1.5 tagged_above=-999 required=5 tests=[BAYES_60=1.5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XRJqWV6i-jjv for <rtcweb@ietfa.amsl.com>; Tue, 25 Feb 2014 14:00:50 -0800 (PST)
Received: from r2-chicago.webserversystems.com (r2-chicago.webserversystems.com [173.236.101.58]) by ietfa.amsl.com (Postfix) with ESMTP id 511211A01E5 for <rtcweb@ietf.org>; Tue, 25 Feb 2014 14:00:50 -0800 (PST)
Received: from pool-71-175-4-197.phlapa.fios.verizon.net ([71.175.4.197]:4843 helo=[192.168.1.12]) by r2-chicago.webserversystems.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.82) (envelope-from <randell-ietf@jesup.org>) id 1WIQ3U-0005Sq-TV for rtcweb@ietf.org; Tue, 25 Feb 2014 16:00:49 -0600
Message-ID: <530D1244.5090001@jesup.org>
Date: Tue, 25 Feb 2014 16:59:32 -0500
From: Randell Jesup <randell-ietf@jesup.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <53077E7B.1070900@ericsson.com>
In-Reply-To: <53077E7B.1070900@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - r2-chicago.webserversystems.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jesup.org
X-Get-Message-Sender-Via: r2-chicago.webserversystems.com: authenticated_id: randell@jesup.org
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/SX4PmABLgGEaH2x6dPBSLwuRsXU
Subject: Re: [rtcweb] Comments on draft-ietf-rtcweb-data-channel-07
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 22:00:51 -0000
On 2/21/2014 11:27 AM, Magnus Westerlund wrote: > 5. Section 3.2: > U-C 7: Proxy browsing, where a browser uses data channels of a > PeerConnection to send and receive HTTP/HTTPS requests and > data, for example to avoid local Internet filtering or > monitoring. > > >From a data channel perspective this doesn't look strange at all, > however I get the shivers from the security implications of this. To my > understanding Peer A using Peer B to proxy browse must have B fetch all > elements that A needs into its sandbox and then transfer it to A over > the PeerConnections Data Channel. Thus, all you do are revealed to B, > massive privacy consideration. Or am I missing someway that A can tunnel > its HTTP request through B without having B see the content of those > requests, I am especially concerned with HTTPS. > > If this use case is going to stay, I do want some security consideration > discussion around it. I'll note that there are active projects looking to use this. Yes, it will likely expose non-https data to the proxy. https traffic should in theory be as protected as it normally is against proxies. This usage would support various forms of monitoring-avoidance (and avoidance of relying on local network resources such as in a WiFi hotspot). It's not a direct replacement for Tor, but it's also much less intrusive than Tor. It inherently requires some level of trust of the person proxying for you. We can expose some of the security considerations, but the primary ones would be dependent on how this is used, not that this protocol has the characteristics that would support such a use. This is mostly saying "we want it to be low overhead for stream creation and initial messages and support a bunch of them at once". -- Randell Jesup -- rjesup a t mozilla d o t com
- [rtcweb] Comments on draft-ietf-rtcweb-data-chann… Magnus Westerlund
- [rtcweb] Comments on draft-ietf-rtcweb-data-chann… Paul Kyzivat
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Barry Dingle
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Magnus Westerlund
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Barry Dingle
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Randell Jesup
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Comments on draft-ietf-rtcweb-data-c… Michael Tuexen