Re: [rtcweb] SRTP and "marketing"

Gregory Maxwell <gmaxwell@juniper.net> Fri, 30 March 2012 15:39 UTC

Return-Path: <gmaxwell@juniper.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2756C21F86D1 for <rtcweb@ietfa.amsl.com>; Fri, 30 Mar 2012 08:39:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.524
X-Spam-Level:
X-Spam-Status: No, score=-6.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfCB0QAKQIPS for <rtcweb@ietfa.amsl.com>; Fri, 30 Mar 2012 08:39:28 -0700 (PDT)
Received: from exprod7og108.obsmtp.com (exprod7og108.obsmtp.com [64.18.2.169]) by ietfa.amsl.com (Postfix) with ESMTP id 7F64C21F86D0 for <rtcweb@ietf.org>; Fri, 30 Mar 2012 08:39:28 -0700 (PDT)
Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob108.postini.com ([64.18.6.12]) with SMTP ID DSNKT3XTrk5eje+ekmRSX7KPy9HZW/g1uDPf@postini.com; Fri, 30 Mar 2012 08:39:28 PDT
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB01-HQ.jnpr.net ([fe80::fc92:eb1:759:2c72%11]) with mapi; Fri, 30 Mar 2012 08:37:57 -0700
From: Gregory Maxwell <gmaxwell@juniper.net>
To: Randell Jesup <randell-ietf@jesup.org>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Date: Fri, 30 Mar 2012 08:37:57 -0700
Thread-Topic: [rtcweb] SRTP and "marketing"
Thread-Index: Ac0N903AuI/AsopKSqCZGCBYPaD84QAjG+ne
Message-ID: <BCB3F026FAC4C145A4A3330806FEFDA94086731AFA@EMBX01-HQ.jnpr.net>
References: <4F72D6B3.40803@bbn.com> <5D67671F-417C-4C78-A560-0B16AC65E4E2@acmepacket.com> <4F73B2B6.9080008@jesup.org> <6493BD08-5A9B-48AB-8D5C-8778384948A3@acmepacket.com>, <4F74DAA1.4080103@jesup.org>
In-Reply-To: <4F74DAA1.4080103@jesup.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [rtcweb] SRTP and "marketing"
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2012 15:39:29 -0000

Randell Jesup [randell-ietf@jesup.org] wrote:
> That's not of no benefit. It's not of real
> benefit to J. Random Salesman, but even non-political people may worry
> about someone watching in more than they worry about listening in.
> (#include lawsuits over schools using laptop computers to take snapshots
> from student computers at home, etc, etc).

A point which needs to be emphasized is that undetectable attacks are
not at all the same thing as detectable attacks: Even when the chance
of detection is somewhat low, if the cost of detection is high the
possibility of it can be an effective deterrent.

Assuming 'hardcoded' ephemeral key agreement, Users Comparing
Tools->PageInfo->Media->session fingerprint — especially if documented
as a best practice in HowToBeParanoid documents— would be likely to
detect network level mass interception, even if the chance of detection
on a case by case is very low.  This makes the development and deployment
of _covert_ mass surveillance/censorship infrastructure, the sort with
the greatest negative human rights value, less attractive from a cost
benefit perspective.

(Of course, it does nothing for non-secret monitoring— but when the
monitoring is not secret the users of protcol have the most important
information they need in order to make an informed choice about how
they communicate, what public policies they live under, who they have
providing their network services, etc)

In computer and cryptographic security we're often concerned with absolute
protection. This is because absolute security is often achievable in this
area,  a luxury few other kinds of security have. But where absolute
security can't be provided (e.g. we _can't_ prevent MITM without hard to
provide and often missing identity service), relative security still has
value. When considering the real world context of attacks always being
a cost benefit trade-off the removal of nearly-undetectable attacks is as
an enormous relative improvement as is the removal of passive sniffing.