Re: [rtcweb] Let's define the purpose of WebRTC

Eric Rescorla <ekr@rtfm.com> Thu, 10 November 2011 05:58 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF2EF21F899F for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 21:58:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.949
X-Spam-Level:
X-Spam-Status: No, score=-102.949 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ja3EeDa+RdAL for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 21:58:10 -0800 (PST)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8920E21F8A4B for <rtcweb@ietf.org>; Wed, 9 Nov 2011 21:58:08 -0800 (PST)
Received: by vcbfk1 with SMTP id fk1so2379285vcb.31 for <rtcweb@ietf.org>; Wed, 09 Nov 2011 21:58:08 -0800 (PST)
Received: by 10.220.187.136 with SMTP id cw8mr680719vcb.266.1320904688087; Wed, 09 Nov 2011 21:58:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.118.132 with HTTP; Wed, 9 Nov 2011 21:57:26 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail.com>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <8A61D801-D14D-408B-9875-63C37D0CC166@acmepacket.com> <CABw3bnPE=OY_h5bM7GA6wgrXiOBL8P4J0kw1jLv-GSpHAbg=Cg@mail.gmail.com> <CABcZeBNqdkh8u=gwOvKfDCQA7rXdAyQkfaM1r2Sx10787btP6A@mail.gmail.com> <B10FEFF6-0ADC-4DB1-83BB-50A11C65EC35@acmepacket.com> <CABcZeBNSXtim_VqzqAd8Z-u4zWSjaYmsVZPN=7sDYkJsgtRAHA@mail.gmail.com> <4EB7E6A5.70209@alvestrand.no> <F8003BA9-BCD8-4F02-B514-8B883FF90F91@acmepacket.com> <387F9047F55E8C42850AD6B3A7A03C6C01349D81@inba-mail01.sonusnet.com> <845C03B2-1975-4145-8F52-8CEC9E360AF3@edvina.net> <5454E693-5C34-4C77-BA07-2A9EE9EE4AFD@cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01349FFE@inba-mail01.sonusnet.com> <1D062974A4845E4D8A343C653804920206D3B7FD@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C0134A105@inba-mail01.sonusnet.com> <1F2A2C70609D9E41844A2126145FC09804691DA2@HKGMBOXPRD22.polycom.com> <CALiegfmf59jb4asUu9LA6YY_aMtKEnM1Wy34KbuLEn3_h1xBXA@mail.gmail.com> <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com> <1D062974A4845E4D8A343C653804920206D3BA57@XMB-BGL-414.cisco.com> <CALiegfkWnRT8m4S9pXTxuLsc-p_bhkG3d=PX3qgiFFt5gW5yfw@mail.gmail.com> <CAD5OKxvQYVKOZF88WLCiRseg-qXQdOpKeDU_t9b-yA2GcDBT-w@mail.gmail.com> <CABcZeBOiPxz_swdaG6Aqoch1WAUtjNh4eOQy1QObCDXT_B8azg@mail.gmail.com> <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 9 Nov 2011 21:57:26 -0800
Message-ID: <CABcZeBNM6R5dfoZqbyFUn0=ojpp58ymzmk-y9TU-TAgug5L6tg@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Let's define the purpose of WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2011 05:58:10 -0000

On Wed, Nov 9, 2011 at 9:48 PM, Roman Shpount <roman@telurix.com> wrote:
>
> On Thu, Nov 10, 2011 at 12:20 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>> The point is that it's very hard to anticipate which communications media
>> will be used for sensitive information. To say "we don't need security
>> in this application because nobody will ever use it to discuss sensitive
>> stuff" is short-sighted. Better simply to be secure all the time.
>>
>
> So why is 99% of the web traffic is HTTP? Do you want to force everybody to
> use HTTPS? I think your argument is simply stating encryption is good, no
> encryption bad, even if it is not needed or if it does not protect anything
> (WebRTC application delivered over HTTP).

My argument is that it's extremely hard to determine a priori
when encryption is needed and when it is not, as evidenced by
the fact that even in the examples *you* suggested, there are
settings when encryption is needed.

As for the question of whether encryption should be used when WebRTC
applications are used over HTTP, as Matthew Kaufman, Alan Johnston,
and myself have all observed, there are technical mechanisms
(albeit suboptimal ones) which can provide security even if the application
is delivered over HTTP (though of course this is still not advisable
for other reasons.)

-Ekr