IETF Logo Mail Archive

[rtcweb] Security issue: initial consent

Hadriel Kaplan <HKaplan@acmepacket.com> Thu, 27 October 2011 22:37 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC57411E8085 for <rtcweb@ietfa.amsl.com>; Thu, 27 Oct 2011 15:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Elckw0eODO5A for <rtcweb@ietfa.amsl.com>; Thu, 27 Oct 2011 15:37:10 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by ietfa.amsl.com (Postfix) with ESMTP id 170C811E807F for <rtcweb@ietf.org>; Thu, 27 Oct 2011 15:37:09 -0700 (PDT)
Received: from MAIL2.acmepacket.com (10.0.0.22) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 27 Oct 2011 18:37:08 -0400
Received: from MAIL1.acmepacket.com ([169.254.1.232]) by Mail2.acmepacket.com ([169.254.2.157]) with mapi id 14.01.0270.001; Thu, 27 Oct 2011 18:37:08 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: "rtcweb@ietf.org" <rtcweb@ietf.org>
Thread-Topic: Security issue: initial consent
Thread-Index: AQHMlPj1/y+eNK3yskqILmPug7WDLg==
Date: Thu, 27 Oct 2011 22:37:07 +0000
Message-ID: <DAE0FB53-9D19-44CF-B3A4-2EE414A9EEAA@acmepacket.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.0.0.30]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <314CC3ED04E18245B9A5CCE5813E7029@acmepacket.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Subject: [rtcweb] Security issue: initial consent
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2011 22:37:10 -0000

Howdy,
per the request made by the Chairs for threads on the security daft, I'm starting this one on the topic of initial media-stream consent.  This is related to section 4.2 and in particular 4.2.3 of draft-ietf-rtcweb-security.

With regards to initial consent, earlier proposals to use receipt of RTP from the peer as the consent have failed due to it being easy for a malicious JS site to generate a few RTP packets to accomplish it.  Earlier proposals to send some limited RTP and use receipt of RTCP Receiver Reports have failed because the entropy of RTCP RR's is too low, and thus malicious JS can spoof them too easily; there's also the problem that some legacy devices don't do RTCP. 

IF the above is true, then ISTM the only solution choices are one of the following:
1) Require ICE be used for all connections on the WebRTC Browser, and either ICE or ICE-Lite on the peer.
2) Require either ICE as above _or_ DTLS-SRTP be used for all RTP connection consent, since DTLS-SRTP handshake is sufficient consent.  In other words, if the Browser's peer uses DTLS-SRTP but not ICE, the Browser can use that as initial consent and continue.  If the Browser's peer does ICE, that provides initial consent.

Are there any others??

SDES-SRTP can't be used instead of DTLS-SRTP for such consent, because the JS will know the SDES key. 

I don't believe we need to worry about consent for purely data-stream connections, assuming we pick either SCTP/UDP, SCTP/DTLS/UDP, or TCP/UDP; because there's a handshake of sufficient entropy.  But I could be wrong about that.

I also believe there's one issue regarding consent which has not been documented: ICE-based or DTLS-based resource attacks.  If a malicious JS can trigger STUN-ICE, TURN-allocate, or DTLS-handshake messages to be sent to any destination by feeding the Browser malicious ROAP, the packet rates of those themselves can create a DDoS attack.  I think this needs to be documented so that Browsers throttle the number of such messages they generate.  ICE, for example, can mimic RTP rates during initial connectivity checks; so a malicious JS can simply cause ICE to restart often.

-hadriel

v2.23.0 | Report a Bug | By Email