Re: [rtcweb] Support of SDES in WebRTC

"Fabio Pietrosanti (naif)" <lists@infosecurity.ch> Thu, 29 March 2012 16:56 UTC

Return-Path: <lists@infosecurity.ch>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0F3721F8992 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 09:56:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.292
X-Spam-Level:
X-Spam-Status: No, score=-3.292 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dd12vPti+raF for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 09:56:36 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8C24721F88E9 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 09:56:36 -0700 (PDT)
Received: by wibhj6 with SMTP id hj6so203214wib.13 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 09:56:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding:x-gm-message-state; bh=NB8/a+YKp6iYAZPRgLXwOv71p/qMd7WC3TL33nAyrf0=; b=es1mVtJW9f7yNA8zVuXN6ItlmhF02h60xk1RoVW+cMm/kza1c18qfz+bRhAGnU1JcS Wxvp7uR3zjmWxqKEivMCK3f9t7n5MWgEeV4ov4ZNjk3PKih45oGFykxJeLGY4uNjJSAF iazsnj95SywZRg1DrvX2Fo33v+OFjdmzMBarmMKZ4gPp1RqOBO+3lgCVIgZmKkLF1Isa 8MdJjcaEMsxtxkgclaQdct5TWajJ+v0jUhFYiy6cI0UqSSsEeRAhwXAHLInxeteKfYCy Wwf/apIc3kl3qcazw0RjNtUaFW/NNNMsRMIWbjZ3Qs4goTFUIJ6GBgQXYd3wqfMo4FGD bphg==
Received: by 10.180.94.33 with SMTP id cz1mr7375785wib.13.1333040195591; Thu, 29 Mar 2012 09:56:35 -0700 (PDT)
Received: from sonyvaiop13.local (93-57-41-37.ip162.fastwebnet.it. [93.57.41.37]) by mx.google.com with ESMTPS id fn2sm30909421wib.0.2012.03.29.09.56.33 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Mar 2012 09:56:34 -0700 (PDT)
Sender: Fabio Pietrosanti <naif@infosecurity.ch>
Message-ID: <4F749440.3010303@infosecurity.ch>
Date: Thu, 29 Mar 2012 18:56:32 +0200
From: "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: =?UTF-8?B?ScOxYWtpIEJheiBDYXN0aWxsbw==?= <ibc@aliax.net>
References: <4F742344.802@infosecurity.ch> <A1B638D2082DEA4092A268AA8BEF294D194602D97D@ESESSCMS0360.eemea.ericsson.se> <CALiegf=GxJ2Ew9v5H4Xfb8q3j=4TFawNu-6uXRXuXK+Vug1e+w@mail.gmail.com>
In-Reply-To: <CALiegf=GxJ2Ew9v5H4Xfb8q3j=4TFawNu-6uXRXuXK+Vug1e+w@mail.gmail.com>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Gm-Message-State: ALoCoQl8Bas/02geNkqvaDt+hruSEuFUHWpB9dlpSTrndr98QMHzxdh5xvdrT1RFlRqGhsFooFMX
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Support of SDES in WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 16:56:37 -0000

On 3/29/12 5:33 PM, Iñaki Baz Castillo wrote:
> 2012/3/29 Oscar Ohlsson <oscar.ohlsson@ericsson.com>om>:
>> Hi Fabio,
>>
>> My assumption has always been the following:
>>
>> - DTLS-SRTP is the default
>> - DTLS-SRTP + identity can be turned on via the JavaScript API if the webapp wishes to do so
>> - SDES can be turned on by a manipulated SDP offer/answer provided the entire webapp was retrieved over HTTPS
> 
> Please check this mail in which I explain that retrieving the web app
> by means of HTTPS means nothing:
> 
>   http://www.ietf.org/mail-archive/web/rtcweb/current/msg03914.html

Yeah, but that's an issue that relate to general web and Javascript
trust issue.

Javascript trust issue is a problem that's already discussed and
evaluated in other area and context of w3c, there are several solutions
on-going.

This kind of issue is the same considered for Javascript encryption.

Trusted javascript can be verified/loaded today trough plug-ins and by
trusting the 'application delivery source', so that's not an issue.

>From 0 up to 100 of security with Javascript you can stay at 0 or reach
100, depending on the way you deploy and use web.

Imho making SDES SDP offer/answer available to Javascript it's a great
achievement as it will be able to unlock the creativity of the
technological ecosystem.

People will probably manipulate SDP, sign it, re-encrypt it, pass it
trough OOB channels via CORS or as many other options we may envision.



-- 
Fabio Pietrosanti
Founder, CTO

Tel: +39 02 85961748 (direct)
Mobile: +39 340 1801049
E-mail: fabio.pietrosanti@privatewave.com
Skype: fpietrosanti
Linkedin: http://linkedin.com/in/secret

PrivateWave Italia S.p.A.
Via Gaetano Giardino 1 - 20123 Milano - Italy
www.privatewave.com