[rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)

Harald Alvestrand <harald@alvestrand.no> Thu, 10 November 2011 20:30 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4C99921F8B03 for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 12:30:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2LfRb6UTCPZy for <rtcweb@ietfa.amsl.com>; Thu, 10 Nov 2011 12:30:48 -0800 (PST)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no []) by ietfa.amsl.com (Postfix) with ESMTP id B1A7E21F8ACE for <rtcweb@ietf.org>; Thu, 10 Nov 2011 12:30:47 -0800 (PST)
Received: from localhost (localhost []) by eikenes.alvestrand.no (Postfix) with ESMTP id C71F739E148 for <rtcweb@ietf.org>; Thu, 10 Nov 2011 21:30:46 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([]) by localhost (eikenes.alvestrand.no []) (amavisd-new, port 10024) with ESMTP id 24Pd2UHbadMn for <rtcweb@ietf.org>; Thu, 10 Nov 2011 21:30:45 +0100 (CET)
Received: from [] (c213-89-141-213.bredband.comhem.se []) by eikenes.alvestrand.no (Postfix) with ESMTPS id C82A639E089 for <rtcweb@ietf.org>; Thu, 10 Nov 2011 21:30:45 +0100 (CET)
Message-ID: <4EBC3475.90706@alvestrand.no>
Date: Thu, 10 Nov 2011 21:30:45 +0100
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <387F9047F55E8C42850AD6B3A7A03C6C01349D81@inba-mail01.sonusnet.com> <845C03B2-1975-4145-8F52-8CEC9E360AF3@edvina.net> <5454E693-5C34-4C77-BA07-2A9EE9EE4AFD@cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01349FFE@inba-mail01.sonusnet.com> <1D062974A4845E4D8A343C653804920206D3B7FD@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C0134A105@inba-mail01.sonusnet.com> <1F2A2C70609D9E41844A2126145FC09804691DA2@HKGMBOXPRD22.polycom.com> <CALiegfmf59jb4asUu9LA6YY_aMtKEnM1Wy34KbuLEn3_h1xBXA@mail.gmail.com> <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com> <1D062974A4845E4D8A343C653804920206D3BA57@XMB-BGL-414.cisco.com> <CALiegfkWnRT8m4S9pXTxuLsc-p_bhkG3d=PX3qgiFFt5gW5yfw@mail.gmail.com> <CAD5OKxvQYVKOZF88WLCiRseg-qXQdOpKeDU_t9b-yA2GcDBT-w@mail.gmail.com> <CABcZeBOiPxz_swdaG6Aqoch1WAUtjNh4eOQy1QObCDXT_B8azg@mail.gmail.com> <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail .com>
In-Reply-To: <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040608040904070905000500"
Subject: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2011 20:30:49 -0000

On 11/10/2011 06:48 AM, Roman Shpount wrote:
> On Thu, Nov 10, 2011 at 12:20 AM, Eric Rescorla <ekr@rtfm.com 
> <mailto:ekr@rtfm.com>> wrote:
>     The point is that it's very hard to anticipate which
>     communications media
>     will be used for sensitive information. To say "we don't need security
>     in this application because nobody will ever use it to discuss
>     sensitive
>     stuff" is short-sighted. Better simply to be secure all the time.
> So why is 99% of the web traffic is HTTP? Do you want to force 
> everybody to use HTTPS? I think your argument is simply stating 
> encryption is good, no encryption bad, even if it is not needed or if 
> it does not protect anything (WebRTC application delivered over HTTP).

Since you asked....

Working, but not speaking, for the company that just decided that open 
Web search results should go over HTTPS: yes.


Having the default Web scheme be nonencrypted and nonsecured was a 
reasonable choice given the cost (and regulatory hassle) of crypto at 
that time. Long term, it was a mistake.

(BTW, Google searches did not immediately bring up verification for that 
claim of 99% of Web traffic being HTTP.... do you have a citation for that?)