Re: [rtcweb] Preserving stream isolation when traversing the network

Jim Spring <> Thu, 06 March 2014 21:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F3D421A00CA for <>; Thu, 6 Mar 2014 13:18:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_18=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0Mc89ZPPq7Gf for <>; Thu, 6 Mar 2014 13:18:11 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c03::232]) by (Postfix) with ESMTP id DB4461A00A3 for <>; Thu, 6 Mar 2014 13:18:10 -0800 (PST)
Received: by with SMTP id u56so3843422wes.37 for <>; Thu, 06 Mar 2014 13:18:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=k/0EeqMU9lsEyjZYuZwrPIRdnWyvCuwxDxSuh2Kflg0=; b=efmQS3THwuqNFRQ7hy34zKvCzCU6liWYfXX8dHrGfdw8ZAzOKHy9MSfcaLswtsxIWw +f6n3RjR4wOTl0RO4yjRu5AjmJyNNK7sv1FJMATdM9lZnx1Tf7LpjpBYEZ9m8JvLIVsJ f+l1eMG2xR73RsyUipUnp8IPyTEHrhZqKwTFf/v/rUdGKbgsOQEREtCA71h+kCBKyiGA neDMMNQiqewBcDhjsr/72Jy5/HJsRjrfC3089cwBOUohACaGGuTTUMPBaAdrcIe1oBmh 1Lz1yHp4+QuPbAnqkuuks933cb+FASEVwV4PLfwXmaKJQdqXkAWO4lrNXg9WrkxY6QW7 7J9A==
X-Received: by with SMTP id ia7mr13592228wjb.5.1394140685892; Thu, 06 Mar 2014 13:18:05 -0800 (PST)
Received: from ?IPv6:2001:67c:1232:108:a1c3:fb5a:5ecd:726d? ([2001:67c:1232:108:a1c3:fb5a:5ecd:726d]) by with ESMTPSA id xt1sm23027281wjb.17.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 06 Mar 2014 13:18:04 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Jim Spring <>
In-Reply-To: <>
Date: Thu, 06 Mar 2014 21:18:04 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: "Matthew Kaufman (SKYPE)" <>
X-Mailer: Apple Mail (2.1874)
X-Mailman-Approved-At: Fri, 07 Mar 2014 02:32:10 -0800
Cc: "" <>
Subject: Re: [rtcweb] Preserving stream isolation when traversing the network
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Mar 2014 21:18:13 -0000

My preference is for the former with the caveat of "asking the browser to relax the restriction" not involve ye olde generic popup asking the user for permission.  The former fits in better with the current behavior of audio/video tags.


On Mar 6, 2014, at 3:03 PM, Matthew Kaufman (SKYPE) <> wrote:

> Would be good to think about whether the default should be isolated (with a special way for sites to ask the browser to relax the restriction) or not isolated (with a way to ask for isolation). The traditional way for "the web" is to do the latter, but I think by now we've seen why we might have wished otherwise.
> Matthew Kaufman
>> -----Original Message-----
>> From: rtcweb [] On Behalf Of Martin
>> Thomson
>> Sent: Thursday, March 6, 2014 2:22 PM
>> To:
>> Subject: [rtcweb] Preserving stream isolation when traversing the network
>> There was a bit of confusion yesterday regarding stream isolation.
>> Mostly the reasons for its existence.  This email is an attempt to explain the
>> rationale in more detail, as well as to explore some of the options.
>> # Problem Statement
>> This is the feature that we rely on for creating end-to-end protected and
>> authenticated calls.  We rely on the browser preventing applications from
>> accessing these streams so that they can't be modified, recorded, sent to or
>> through servers, rendered to canvas, pushed into web audio, etc...
>> The basic idea of isolation is already an important part of the web security
>> model.  Streams that come from sources other than WebRTC already require
>> protections of this sort.  For instance, <video> tags from different origins
>> can't be rendered to canvas, and web audio cannot take the output of
>> <audio> if it was cross origin (though CORS can be used to work around this
>> limitation).
>> The problem I outlined was that any isolation property is not preserved by
>> WebRTC.  This provides a trivial means of circumvention of isolated streams.
>> Sending media using WebRTC effectively strips away isolation.
>> # Solution Options
>> As I described in the working group session, I see two ways to solve this
>> problem.  One in-band in TLS, the other in signaling.
>> We seemed to have general agreement that a signal in (D)TLS would be best.
>> Signaling creates extra attack modes.  This more closely binds the isolation
>> guarantee to the security context.
>> To that end, I've submitted an extension draft to the TLS WG.  I recommend
>> that you read it and provide comments on its applicability to RTCWEB here,
>> and comments on the mechanism itself over in TLS.
>> There is another option I really just thought of, and that is to add an
>> authenticated parameter to RTP for this purpose.  Probably as an RTP header
>> extension.  This has different properties, mostly which apply to the scope
>> question.
>> # Scope
>> We agreed yesterday that identity assertions would be scoped to the session
>> level and that a=identity is session scoped.
>> I am going to propose that stream isolation is also scoped to the session.  This
>> implies that all streams from both peers MUST be either all isolated, or that
>> they are all accessible to the application.
>> There's an argument that you could scope this to a BUNDLE, but that seems
>> like unnecessary complication to me.  For instance, we don't have any API
>> artifacts at this level, upon which this property could be attached.
>> # Data Channels
>> The question as to whether data channels are affected by this isolation is an
>> interesting one.  Data channels are inherently NEVER isolated (though we
>> could work on that for some use cases, e.g., file sharing, I don't think that
>> we're ready for that today.)
>> I would like to say that data channels can't be created on a PeerConnection
>> that has isolated streams.  It's logically cleaner that way.  If we do ever decide
>> to do confidential file transfer (for example), it would also enable that
>> without new contortions.
>> I'm not going to get militant on this point though if someone has a plausible
>> reason to allow use of data channels in the same PC as isolated streams.
>> _______________________________________________
>> rtcweb mailing list
> _______________________________________________
> rtcweb mailing list