[rtcweb] #9: Section 4.3.2
"rtcweb issue tracker" <trac+rtcweb@trac.tools.ietf.org> Sat, 16 February 2013 22:17 UTC
Return-Path: <trac+rtcweb@trac.tools.ietf.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A33E21F899F for <rtcweb@ietfa.amsl.com>; Sat, 16 Feb 2013 14:17:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9MJJ5wdGDp0 for <rtcweb@ietfa.amsl.com>; Sat, 16 Feb 2013 14:17:37 -0800 (PST)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id CFC5121F86A2 for <rtcweb@ietf.org>; Sat, 16 Feb 2013 14:17:36 -0800 (PST)
Received: from localhost ([127.0.0.1]:55452 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+rtcweb@trac.tools.ietf.org>) id 1U6q4Z-0001io-Im; Sat, 16 Feb 2013 23:17:31 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: rtcweb issue tracker <trac+rtcweb@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-rtcweb-security@tools.ietf.org, bernard_aboba@hotmail.com
X-Trac-Project: rtcweb
Date: Sat, 16 Feb 2013 22:17:31 -0000
X-URL: http://tools.ietf.org/rtcweb/
X-Trac-Ticket-URL: http://wiki.tools.ietf.org/wg/rtcweb/trac/ticket/9
Message-ID: <066.51c3f46119e508d40c7a15d26fcbb509@trac.tools.ietf.org>
X-Trac-Ticket-ID: 9
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-rtcweb-security@tools.ietf.org, bernard_aboba@hotmail.com, rtcweb@ietf.org
X-SA-Exim-Mail-From: trac+rtcweb@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: ekr@rtfm.com
Resent-Message-Id: <20130216221736.CFC5121F86A2@ietfa.amsl.com>
Resent-Date: Sat, 16 Feb 2013 14:17:36 -0800
Resent-From: trac+rtcweb@trac.tools.ietf.org
Cc: rtcweb@ietf.org
Subject: [rtcweb] #9: Section 4.3.2
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Feb 2013 22:17:38 -0000
#9: Section 4.3.2 4.3.2. Protecting Against During-Call Attack Protecting against attacks during a call is a more difficult proposition. Even if the calling service cannot directly access keying material (as recommended in the previous section), it can simply mount a man-in-the-middle attack on the connection, telling Alice that she is calling Bob and Bob that he is calling Alice, while in fact the calling service is acting as a calling bridge and capturing all the traffic. While in theory it is possible to construct techniques which protect against this form of attack, in practice these techniques all require far too much user intervention to be practical, given the user interface constraints described in [abarth-rtcweb]. [BA] I think it's more than a user intervention/user interface issue. Aside from snooping the signaling to see if the callee includes an "isfocus" tag, how can the browser know if it is calling a conference bridge or not? Personally, I'd remove the "in theory" sentence. -- -------------------------------------+------------------------------------- Reporter: | Owner: draft-ietf-rtcweb- bernard_aboba@hotmail.com | security@tools.ietf.org Type: defect | Status: new Priority: major | Milestone: milestone1 Component: security | Version: 1.0 Severity: In WG Last Call | Keywords: -------------------------------------+------------------------------------- Ticket URL: <http://wiki.tools.ietf.org/wg/rtcweb/trac/ticket/9> rtcweb <http://tools.ietf.org/rtcweb/>
- [rtcweb] #9: Section 4.3.2 rtcweb issue tracker