Re: [rtcweb] Support of SDES in WebRTC
Roman Shpount <roman@telurix.com> Fri, 30 March 2012 03:30 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C45DA21F86BA for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 20:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.836
X-Spam-Level:
X-Spam-Status: No, score=-2.836 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxgS-Va5nC4s for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 20:30:00 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id F1CB121F86B6 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 20:29:59 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so1051489pbb.31 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 20:29:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:x-gm-message-state:content-type; bh=zcFmGmN5ino8f55PlLb9+NBb/F861CdFlDycGAwO9F0=; b=colhwiMXYQay6vaoW3GkZX1KRpDK37J3UT+Ks2jRo0zAv0ZzlYG4bPQs7xrWwhZt+D UgNhoGKoE8xxc8ZpbFNzO3zqsVxm4/SaU6THsztqsiEOIXsq+vbdXRA/FqkqLQKGjwle Zs+2+N/s2dMp+hHozfY6nZjdJ6HuGd8Tlp6fI86rKBom9HVoZ7lIl0sBgmmJ1DF8Sj0N WoiMQTdv3yyeqlU017BeqXoWDul36zgAX+9Hi3rP65pQsjHJAbIuUPm5PUp1774Y+pcC X1pFMcAuZVyqwnI+0sh24LkfBn8otB3VtDXv2/GoTFoBvKr6r+cBwqPclOgZGjhJndp5 D73A==
Received: by 10.68.234.134 with SMTP id ue6mr5434577pbc.14.1333078199709; Thu, 29 Mar 2012 20:29:59 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by mx.google.com with ESMTPS id i1sm6358918pbj.70.2012.03.29.20.29.58 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Mar 2012 20:29:58 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so1051459pbb.31 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 20:29:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.196.163 with SMTP id in3mr5481157pbc.118.1333078198064; Thu, 29 Mar 2012 20:29:58 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Thu, 29 Mar 2012 20:29:58 -0700 (PDT)
In-Reply-To: <BCB3F026FAC4C145A4A3330806FEFDA94086731AF7@EMBX01-HQ.jnpr.net>
References: <4F742344.802@infosecurity.ch> <A1B638D2082DEA4092A268AA8BEF294D194602D97D@ESESSCMS0360.eemea.ericsson.se> <CALiegf=GxJ2Ew9v5H4Xfb8q3j=4TFawNu-6uXRXuXK+Vug1e+w@mail.gmail.com> <A1B638D2082DEA4092A268AA8BEF294D194602DB63@ESESSCMS0360.eemea.ericsson.se> <BCB3F026FAC4C145A4A3330806FEFDA94086731AF7@EMBX01-HQ.jnpr.net>
Date: Thu, 29 Mar 2012 23:29:58 -0400
Message-ID: <CAD5OKxvZNK9SvrZcFhiF6X8VoinUHo8P1ZH0ys8Gw0FMYY4MTg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Gregory Maxwell <gmaxwell@juniper.net>
X-Gm-Message-State: ALoCoQmKRc/7UQtfJuUZ7VvKUNUZ6wuWvykPD6l+VD+IDnfURCldX16pEEC/ZOps7VZjqamfPOPc
Content-Type: multipart/alternative; boundary="e89a8ff1c65a7415ad04bc6d7467"
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Support of SDES in WebRTC
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2012 03:30:00 -0000
On Thu, Mar 29, 2012 at 5:59 PM, Gregory Maxwell <gmaxwell@juniper.net>wrote: > Even this is insufficient. > > First, even if it is in principle possible to provide adequate > cryptographic security inside the JS applications a great many of them > won't (for many reasons). We can't eliminate inconsistency in the security > of webrtc applications— but we can certainly make it hard to go below > a certain level of security especially by accident. In particular, > if JS applications provide only authentication services (e.g. by giving > them access to hashes of the ephemeral session keys, but not the session > keys themselves) then a cryptographically-incompetent application can > only fail the user by failing to provide the authentication it promised > over and above the platform baseline capability. > > With HTTPS applications are currently free to do dumb things (mixed > content, esp scripts) but at least the browser can detected this and > alerts the user with varying degrees of loudness. In a SDES/SRTP > world the browser will not be generally able to detect insecure > behavior by applications— creating something of a lemon market > for webrtc based application security. As a resutl its important to > narrow the amount of insecurity possible. > > This is effectively a repeat of the arguments against supporting > plaintext. If plaintext is supported it will be commonly used because it's > easiest, because users can't easily tell how insecure their connection > is, and because users often don't have a good feel for the threat model > (e.g. things like firesheep were _very_ surprising to most people)... > Because of this the platform should provide the highest level of security > that can reasonably be provided in the platform, and that means (among > other things) perfect-forward-secrecy— while allowing applications to > add things like authentication on top (because while strong ephemerally > keyed crypto can be done very low in the stack, meaningful authentication > needs layer-7/8 hooks). > > There is also the application/library split issue— if a vulnerability > is found in a common negotiation procedure what secures users > better? Updating a few easily identified browsers / softphone apps? > or a much larger base of webapps, many of which would be run by security > ignorant/clueless people? (and at least if the webserver is clueful but > the client operator is not the app could yell about the insecure client, > the other way around doesn't work as well). — Really, cryptographic > negotiation is not properly an application feature, it belongs lower in > the stack, and many applications that roll their own crypto have done > a poor job of it. > > It's also inadequate on purely technical grounds: Javascript provides > no mechanism for working with mlocked memory, no mechanism to ensure > that garbage collected data gets zeroized. Your crypto app in JS could > easily have its long term keying material pulled out of free ram by > malware long after it runs, or pulled off the disk from swap. > The breakneck pace of fancy JIT systems makes it seem unlikely to me > that javascript will provide for that any time soon. > > I guess what you are saying (and I believe everybody on this list agree) is that SDES-SRTP in combination with JavaScript signaling negotiation does not and cannot provide any meaningful security above preventing simple network sniffing. _____________ Roman Shpount
- [rtcweb] Support of SDES in WebRTC Fabio Pietrosanti (naif)
- Re: [rtcweb] Support of SDES in WebRTC Oscar Ohlsson
- Re: [rtcweb] Support of SDES in WebRTC Bernard Aboba
- Re: [rtcweb] Support of SDES in WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Support of SDES in WebRTC Fabio Pietrosanti (naif)
- Re: [rtcweb] Support of SDES in WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Support of SDES in WebRTC Oscar Ohlsson
- Re: [rtcweb] Support of SDES in WebRTC Iñaki Baz Castillo
- Re: [rtcweb] Support of SDES in WebRTC Gregory Maxwell
- Re: [rtcweb] Support of SDES in WebRTC Roman Shpount
- Re: [rtcweb] Support of SDES in WebRTC Randell Jesup
- Re: [rtcweb] Support of SDES in WebRTC Oscar Ohlsson
- Re: [rtcweb] Support of SDES in WebRTC (Javascrip… Fabio Pietrosanti (naif)