IETF Logo Mail Archive

[rtcweb] #9: Section 4.3.2

"rtcweb issue tracker" <trac+rtcweb@trac.tools.ietf.org> Sat, 16 February 2013 22:17 UTC

Return-Path: <trac+rtcweb@trac.tools.ietf.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A33E21F899F for <rtcweb@ietfa.amsl.com>; Sat, 16 Feb 2013 14:17:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9MJJ5wdGDp0 for <rtcweb@ietfa.amsl.com>; Sat, 16 Feb 2013 14:17:37 -0800 (PST)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id CFC5121F86A2 for <rtcweb@ietf.org>; Sat, 16 Feb 2013 14:17:36 -0800 (PST)
Received: from localhost ([127.0.0.1]:55452 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+rtcweb@trac.tools.ietf.org>) id 1U6q4Z-0001io-Im; Sat, 16 Feb 2013 23:17:31 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: rtcweb issue tracker <trac+rtcweb@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-rtcweb-security@tools.ietf.org, bernard_aboba@hotmail.com
X-Trac-Project: rtcweb
Date: Sat, 16 Feb 2013 22:17:31 -0000
X-URL: http://tools.ietf.org/rtcweb/
X-Trac-Ticket-URL: http://wiki.tools.ietf.org/wg/rtcweb/trac/ticket/9
Message-ID: <066.51c3f46119e508d40c7a15d26fcbb509@trac.tools.ietf.org>
X-Trac-Ticket-ID: 9
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-rtcweb-security@tools.ietf.org, bernard_aboba@hotmail.com, rtcweb@ietf.org
X-SA-Exim-Mail-From: trac+rtcweb@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: ekr@rtfm.com
Resent-Message-Id: <20130216221736.CFC5121F86A2@ietfa.amsl.com>
Resent-Date: Sat, 16 Feb 2013 14:17:36 -0800
Resent-From: trac+rtcweb@trac.tools.ietf.org
Cc: rtcweb@ietf.org
Subject: [rtcweb] #9: Section 4.3.2
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Feb 2013 22:17:38 -0000

#9: Section 4.3.2

 4.3.2. Protecting Against During-Call Attack

    Protecting against attacks during a call is a more difficult
    proposition.  Even if the calling service cannot directly access
    keying material (as recommended in the previous section), it can
    simply mount a man-in-the-middle attack on the connection, telling
    Alice that she is calling Bob and Bob that he is calling Alice, while
    in fact the calling service is acting as a calling bridge and
    capturing all the traffic.  While in theory it is possible to
    construct techniques which protect against this form of attack, in
    practice these techniques all require far too much user intervention
    to be practical, given the user interface constraints described in
    [abarth-rtcweb].

 [BA] I think it's more than a user intervention/user interface issue.
 Aside from snooping the signaling to see if the callee includes an
 "isfocus" tag, how can the browser know if it is calling a conference
 bridge or not? Personally, I'd remove the "in theory" sentence.

-- 
-------------------------------------+-------------------------------------
 Reporter:                           |      Owner:  draft-ietf-rtcweb-
  bernard_aboba@hotmail.com          |  security@tools.ietf.org
     Type:  defect                   |     Status:  new
 Priority:  major                    |  Milestone:  milestone1
Component:  security                 |    Version:  1.0
 Severity:  In WG Last Call          |   Keywords:
-------------------------------------+-------------------------------------

Ticket URL: <http://wiki.tools.ietf.org/wg/rtcweb/trac/ticket/9>
rtcweb <http://tools.ietf.org/rtcweb/>

v2.23.0 | Report a Bug | By Email