IETF Logo Mail Archive

Re: [rtcweb] Comments on draft-ietf-rtcweb-data-channel-06

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 13 February 2014 08:41 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053811A0169 for <rtcweb@ietfa.amsl.com>; Thu, 13 Feb 2014 00:41:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r3P-0BRIxgMt for <rtcweb@ietfa.amsl.com>; Thu, 13 Feb 2014 00:41:34 -0800 (PST)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id 8E85F1A016F for <rtcweb@ietf.org>; Thu, 13 Feb 2014 00:41:33 -0800 (PST)
X-AuditID: c1b4fb25-b7f038e000005d01-41-52fc853bfd32
Received: from ESESSHC023.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id E2.C3.23809.B358CF25; Thu, 13 Feb 2014 09:41:32 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.89) with Microsoft SMTP Server id 14.2.347.0; Thu, 13 Feb 2014 09:41:31 +0100
Message-ID: <52FC853B.60904@ericsson.com>
Date: Thu, 13 Feb 2014 09:41:31 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Randell Jesup <randell-ietf@jesup.org>, rtcweb@ietf.org
References: <5280E181.20104@ericsson.com> <9A62A3AC-F990-4358-B2E7-B8DD39A81B03@fh-muenster.de> <52FAD6EE.3070807@jesup.org>
In-Reply-To: <52FAD6EE.3070807@jesup.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmluLIzCtJLcpLzFFi42KZGfG3Rtem9U+QwYTtTBZnt2VZrP3Xzu7A 5LFkyU8mjw/L17EFMEVx2aSk5mSWpRbp2yVwZbza08xW0CFcMfvWDPYGxo38XYycHBICJhIL N31jhrDFJC7cW8/WxcjFISRwiFHiw7/djBDOckaJjTPfMIJU8QpoSly69wqsg0VAVeJH51dW EJtNwELi5o9GNhBbVCBYYueB31D1ghInZz5hAbFFBGwl3v3ZAFYjLOAs0fD3DlivkECNxKEF 88FsTqD5+79+BprPAXSRuERPYxBImFlAT2LK1RZGCFteonnrbGaIVm2JhqYO1gmMgrOQbJuF pGUWkpYFjMyrGNlzEzNz0suNNjECA/Lglt+qOxjvnBM5xCjNwaIkzvvhrXOQkEB6Yklqdmpq QWpRfFFpTmrxIUYmDk6pBsbuBVKX858G27xht7TraXA0eXZX7ne89undQlen/tp3KGUlH3P7 +sIYSzXBEhFuu11qR5fXxT9xkr2/QcHmxuw1/MtNWsMf/07ccm06RwH/ux23Xk/K/qUneiD0 8/2Cq6pPT7fsS7d/84Jt28rlrhvi9u8SXJVgprTawftIoQS/YnFZoITOi8NKLMUZiYZazEXF iQCiS3VEFgIAAA==
Subject: Re: [rtcweb] Comments on draft-ietf-rtcweb-data-channel-06
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 08:41:36 -0000

Hi,

Just responding to one thing. I will have a goal to review the new
versions prior to the WG session to see how well the new version
resolves my previous comments.



On 2014-02-12 03:05, Randell Jesup wrote:
> On 2/11/2014 5:47 AM, Michael Tuexen wrote:
>> On Nov 11, 2013, at 2:54 PM, Magnus Westerlund
>> <magnus.westerlund@ericsson.com> wrote:
>>
>>
>>> 3. Section 3.2:
>>>    U-C 7:  Proxy browsing, where a browser uses data channels of a
>>>       PeerConnection to send and receive HTTP/HTTPS requests and data,
>>>       for example to avoid local internet filtering or monitoring.
>>>
>>> Yes, this may be something that is possible, but to express it as a use
>>> cases intended to be supported might not be the best. We are after all
>>> likely talking about circumventing local security policies. I would also
>>> note that "Internet" is with capital I.
>> Change to Internet. The use case seems important, since there are already
>> implementations doing this (possibly not using data channels, don't
>> know).
>> Randell: What do you think?
> 
> There are people actively planning to use it for this usecase in
> high-profile applications (using datachannels), or so I am told.

Okay, this is going to be causing issue, independent on if you include
the use case explicitly or not. Please discuss this security concerns in
the security consideration section. From my perspective this has several
implications.

1. Violating a sites security policy. Can this be detected, controlled
or prevented somehow without generally blocking the data channel or even
DTLS in general?

2. What privacy implications does this have? You are putting your
proxied traffic into another browser instances JS code space. Thus isn't
that browser going to have full insight in what the first browser is
doing, including content coming over a HTTPS from the proxy to the. This
has significant trust issues.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email