Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)

Eric Rescorla <ekr@rtfm.com> Tue, 27 September 2011 23:28 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A39421F8F4C for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 16:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.902
X-Spam-Level:
X-Spam-Status: No, score=-102.902 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZtKOeDi+AYR for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 16:28:07 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2BD9A21F8F1D for <rtcweb@ietf.org>; Tue, 27 Sep 2011 16:28:07 -0700 (PDT)
Received: by wwf22 with SMTP id 22so5378090wwf.13 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 16:30:53 -0700 (PDT)
Received: by 10.227.11.194 with SMTP id u2mr476351wbu.76.1317166253169; Tue, 27 Sep 2011 16:30:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.196.83 with HTTP; Tue, 27 Sep 2011 16:30:13 -0700 (PDT)
In-Reply-To: <CAD5OKxte2DYbgtFpF2jQGq_thYCyb1Li2ih5J6gpzamhJvRyTA@mail.gmail.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <2E239D6FCD033C4BAF15F386A979BF510F1087@sonusinmail02.sonusnet.com> <BLU152-W62B7F2AC3F0D5B6E277CB993F00@phx.gbl> <CAD5OKxt=P3jg9N0weFUZLvUYQxyeXa+9YMtpc8wn7osuPQmTpg@mail.gmail.com> <CAD5OKxtVCgiFV_iAYd1w0uZZcS5+gsixOHJ0jGN=0CMdq++kdg@mail.gmail.com> <CAOJ7v-3PrnNyesL+x-mto9Q9djjiJ13QZHXCiGfY1mv3nubrqQ@mail.gmail.com> <CAD5OKxsKTHCuBQdUnGQtGfF7NmZZExLe9Q9B9cNR=483neuHPQ@mail.gmail.com> <CAOJ7v-1rzdmviAnGknVZmrU_TDNoC3NmWd1g6iyx0WzZ4xB3Pw@mail.gmail.com> <4E820825.9090101@skype.net> <CAD5OKxvmKi3Py0gNcTdREdfS07hA-=f6L+u8KKVgSWztMft9kQ@mail.gmail.com> <CALiegfmL4VSRE+kgs5kXzQc3mCHnKpU-EAbVPKO4QNEYLKje=A@mail.gmail.com> <4E821E47.4080205@alvestrand.no> <CALiegfndBhod6Hoq6h63795x8f=ew28rDys=Fx8ScwVpVJwp1Q@mail.gmail.com> <CABcZeBOoF6MNSpATG2+_e99iRq7Jf9OoWWNCa=qRGW_v+maoHA@mail.gmail.com> <CAD5OKxubnxLAqybCgnBXpKR9S0rBEsoDg9enCaverjVWYad7Ew@mail.gmail.com> <CABcZeBPoQSM=L0-Er3j-ak2M6YfCbJkThbYuR_+=xUmcsxQz9Q@mail.gmail.com> <CAD5OKxsVE+LwKEcpe+hf+=i87Ucga0_VpkUGJkH5=HixV5Xkmw@mail.gmail.com> <CABcZeBM+FD5y7WenD=d_7jM1Fu+OrFyFgtsd1iGMpGfMe_gOKQ@mail.gmail.com> <CAD5OKxte2DYbgtFpF2jQGq_thYCyb1Li2ih5J6gpzamhJvRyTA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 27 Sep 2011 16:30:13 -0700
Message-ID: <CABcZeBPeFCdVvrgLh_-kcBwbM=knemo_rjKg-gEz9s35CqzPGQ@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: multipart/alternative; boundary=002215974c5ea15c9a04adf4aa9f
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Solutions sought for non-ICE RTC calls, not +1 (Re: Requiring ICE for RTC calls)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 23:28:08 -0000

On Tue, Sep 27, 2011 at 4:20 PM, Roman Shpount <roman@telurix.com> wrote:

>
> On Tue, Sep 27, 2011 at 6:54 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> I'm sorry, but I think you're still missing the point: requiring ICE *is*
>> the security
>> feature.
>>
>>
> I'm sorry, but it I do get the point: ICE is security. My point is, if you
> have a trust relationship with a site, ICE validation can be bypassed, i.e.
> if you trust the application on the site you trust it not to do something
> malicious with your media.  You point is that you do not trust the user with
> the decision to turn off ICE or trust the website, since unlike with all the
> other security decisions this can be used to hurt other people vs. just
> users themselves. So, unless we can invent a robust mechanism to set trust
> agreements with specific web sites, we would be better off forcing ICE for
> everybody. Is this correct description of the problem?
>

I don't know what "trust agreements with specific web sites" means.

The basic situation here is that browser vendors do not want to ship
browsers
which can be used as an attack platform. And since the victim is not the
user
but rather the recipient of the traffic, that's why WebSockets and CORS
require that the server (i.e., the recipient of the traffic) confirm its
willingness
to receive the traffic, as opposed to having the user agree to it. I don't
see
how any trust mechanism that doesn't involve the recipient can have the
right security properties.

-Ekr