Re: [rtcweb] Which servers to trust (Re: Consensus call regarding media security)
Iñaki Baz Castillo <ibc@aliax.net> Tue, 03 April 2012 14:24 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F29911E80C2 for <rtcweb@ietfa.amsl.com>; Tue, 3 Apr 2012 07:24:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.654
X-Spam-Level:
X-Spam-Status: No, score=-2.654 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l38lR4MKvGNB for <rtcweb@ietfa.amsl.com>; Tue, 3 Apr 2012 07:24:11 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8E67711E80C1 for <rtcweb@ietf.org>; Tue, 3 Apr 2012 07:24:11 -0700 (PDT)
Received: by vcbfk13 with SMTP id fk13so2883100vcb.31 for <rtcweb@ietf.org>; Tue, 03 Apr 2012 07:24:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=nueh+cAG4jqju8qWi6CQpO37XGW4RcruQiOmF4yjAT8=; b=G/muUSDfUCoXQG9ze4sKEYGioqenZJJ1DOJHImXJcCAoqSAPyNSLMUqZp3RkyuazNX OTTF66+dz+0idgw+xAxv67FUM/gX4PnUOj2O9nDK68ODm99gZp/1UaSokd6QWng4lh5F Ob9VXkcFgF1fUGUPKG+o8pqC+fLo+bKUHwsMIX2bsrp8U6Wfiwqcfe0TLPrV71NeD6FR 6vITdqVqqmouZu4eTfRnCqm4fB0tOccZQfvCgG2+heLGuLjHzel+Y/SWYSqvshFilFoZ RStzIckYshRf8A5oVt3/WujLkqxn2og3eNt0fqpPRPNQNhXctY5lrJAZfwQcQGnq/8nR GBQw==
Received: by 10.52.27.1 with SMTP id p1mr5712226vdg.17.1333463051029; Tue, 03 Apr 2012 07:24:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.170.165 with HTTP; Tue, 3 Apr 2012 07:23:50 -0700 (PDT)
In-Reply-To: <4F7AEDB6.8000907@jesup.org>
References: <4F732531.2030208@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E221877@inba-mail01.sonusnet.com> <4F749C82.4070305@infosecurity.ch> <4F7ACC96.90206@alvestrand.no> <CALiegf=jJ6SfQhbxPXKdDDKqp7bOrpRNVE=RfBs8Ah8zqy9ftQ@mail.gmail.com> <4F7AEDB6.8000907@jesup.org>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Tue, 03 Apr 2012 16:23:50 +0200
Message-ID: <CALiegfn59_i07zQhn355cpwyaoYbewJtLvCqMx6fHgpoGH7e7w@mail.gmail.com>
To: Randell Jesup <randell-ietf@jesup.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQnv4HVzD1iUtZoWwDkIKboz4QmGOUuDF+EXDBQ2AV/PIN/JqzMub1GqApMv7/Qx5XJXY/v5
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Which servers to trust (Re: Consensus call regarding media security)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 14:24:12 -0000
2012/4/3 Randell Jesup <randell-ietf@jesup.org>: > On 4/3/2012 7:55 AM, Iñaki Baz Castillo wrote: >> If you trust the Web server (i.e. due to HTTPS usage with a valid >> server certificate) then you will also trust that the Web server will >> not signal your WebRTC communication to a malicious destination, am I >> wrong? > > > Partly. First, as you mention, the site can be hacked. If the site is hacked then it does not matter whether SDES or DTLS is being used. Both can be hacked as demostrated in some draft (whose name cannot remember now). > Another issue is that you may NOT trust the website to avoid tapping your communication The communication is not just the RTP, but also the signaling. If my wife (if I had) realizes that yesterday night I called to my ex-girlfriend, that's important enough for me (regardless my wife does not know what I talked with her). So what? no servers? no proxies? pure P2P for all? Also, as said in other mail (by other person in this maillist), if you don't trust the web server, then we must also drop TURN from WebRTC since TURN URI's are provided by the web server (and it can be hacked and so...). Regards. -- Iñaki Baz Castillo <ibc@aliax.net>
- [rtcweb] Consensus call regarding media security Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Igor Faynberg
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Kevin P. Fleming
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Timothy B. Terriberry
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… jesse
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- [rtcweb] Which servers to trust (Re: Consensus ca… Harald Alvestrand
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Randell Jesup
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla