IETF Logo Mail Archive

Re: [rtcweb] Same location media

Eric Rescorla <ekr@rtfm.com> Thu, 20 October 2011 16:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DBB21F8C9B for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 09:31:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.962
X-Spam-Level:
X-Spam-Status: No, score=-102.962 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JdGg3XphWEoi for <rtcweb@ietfa.amsl.com>; Thu, 20 Oct 2011 09:31:14 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1459621F8C70 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 09:31:07 -0700 (PDT)
Received: by gyh20 with SMTP id 20so3592854gyh.31 for <rtcweb@ietf.org>; Thu, 20 Oct 2011 09:31:06 -0700 (PDT)
Received: by 10.236.178.3 with SMTP id e3mr7334363yhm.90.1319128266560; Thu, 20 Oct 2011 09:31:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.146.168.5 with HTTP; Thu, 20 Oct 2011 09:30:22 -0700 (PDT)
In-Reply-To: <CAD5OKxuJi_VS9fRc4P6GN-StWzMhMHAQ2MyO8zJVsMfEeQRftg@mail.gmail.com>
References: <CAD5OKxuJi_VS9fRc4P6GN-StWzMhMHAQ2MyO8zJVsMfEeQRftg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 20 Oct 2011 09:30:22 -0700
Message-ID: <CABcZeBMhS8TOK7ztTwWV_vtNf-pesiGtD29kROAAH85GhiE4Cw@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Same location media
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2011 16:31:15 -0000

On Thu, Oct 20, 2011 at 9:27 AM, Roman Shpount <roman@telurix.com> wrote:
> 3. There is still a security issue with ICE: we validate that STUN request
> can be processed, but not that the media actually should be accepted from
> this application. In some sense, current Flash cross domain polices are
> stricter, since they not only validate that media is acceptable at this IP
> but that it is acceptable from the app served from particular server.

Unless I'm confused, you get a similar check with ICE because the target
needs not only to respond to STUN in general but also to STUN with
particular credentials, which means that the target can enforce that only
specific sites get those credentials.

-Ekr

v2.23.0 | Report a Bug | By Email