[rtcweb] AD Review: draft-ietf-rtcweb-security
Adam Roach <adam@nostrum.com> Fri, 02 November 2018 00:37 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6913F128DFD; Thu, 1 Nov 2018 17:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1OJ7B0ZKEWDC; Thu, 1 Nov 2018 17:37:21 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B465120072; Thu, 1 Nov 2018 17:37:18 -0700 (PDT)
Received: from Orochi.local ([38.98.37.141]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id wA20b8tt088461 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 1 Nov 2018 19:37:14 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host [38.98.37.141] claimed to be Orochi.local
To: draft-ietf-rtcweb-security.all@ietf.org, "rtcweb@ietf.org" <rtcweb@ietf.org>
From: Adam Roach <adam@nostrum.com>
Message-ID: <5a2ed698-e353-4cb9-9c33-6450a843aefe@nostrum.com>
Date: Thu, 01 Nov 2018 19:36:57 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/mjWIiMBWKFwTYMMDXF5wE4TPKas>
Subject: [rtcweb] AD Review: draft-ietf-rtcweb-security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 00:37:25 -0000
This is my AD review for draft-ietf-rtcweb-security. I think this document is ready to go into IETF last call, modulo the ICE citation issue. I plan to issue last call for this document at the same time as draft-ietf-rtcweb-security-arch and draft-ietf-rtcweb-ip-handling, so it will wait for those to become ready. I'm marking the document as "revised ID needed" pending the ICE reference update. I also have a number of non-blocking comments that should be treated the same as IETF last-call comments. /a --------------------------------------------------------------------------- ID Nits reports: == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Obsolete informational reference (is this intentional?): RFC 6222 (Obsoleted by RFC 7022) --------------------------------------------------------------------------- [DISCUSS] Per the discussion around Cluster 238 dependencies, please reference RFC 8445 instead of RFC 5245. --------------------------------------------------------------------------- §1: > The Real-Time Communications on the Web (RTCWEB) working group is > tasked with standardizing protocols for real-time communications > between Web browsers, generally called "WebRTC" I plan to close RTCWEB as soon as Cluster 238 is published, at which point this text will be out of date. Consider rephrasing in a way that will survive the passage of time better. --------------------------------------------------------------------------- §1: > In the system shown in Figure 1, Alice and Bob both have WebRTC > enabled browsers... Please add Alice and Bob to Figure 1. Nit: "WebRTC-emabled" --------------------------------------------------------------------------- §2: Please update to match the RFC 8174 boilerplate. Regardless of whether this update is made, there seem to be some ambiguous uses of RFC 2119 language (e.g. §4.3: "This service must be provided for both data and voice/video") that need a bit of auditing. --------------------------------------------------------------------------- §3.1: > While the browser has access to local resources such as keying > material, files, the camera and the microphone, Consider adding an Oxford comma. --------------------------------------------------------------------------- §3.1: > [Note: in many cases browsers are explicitly designed to avoid > dialogs with the semantics of "click here to screw yourself", as I hate to be a wet blanket, but this phrasing seems out of character for an RFC. Consider something less colloquial (and perhaps with less rough connotations) than "screw" here. --------------------------------------------------------------------------- > 3.2. Same Origin Policy Nit: "Same-Origin" --------------------------------------------------------------------------- §3.2: > Many other resources are accessible but isolated. For instance, > while scripts are allowed to make HTTP requests via the > XMLHttpRequest() API Consider informatively citing https://xhr.spec.whatwg.org/ (or something better if you can find it). --------------------------------------------------------------------------- §4.1.2.2: > to avoid the users just clicking through. Note also that the user > interface chrome must clearly display elements showing that the call Consider defining the term "chrome" for those readers who may not be familiar with it. --------------------------------------------------------------------------- §4.1.3: > target. Callee-oriented consent provided by the calling site not > work well because a malicious site can claim that the user is calling Nit: "...does not work well..." (or "...would not work well...") > cryptographically established identity. While not suitable for all Nit: "cryptographically-established" --------------------------------------------------------------------------- §4.1.4: > Even if calls are only possible from HTTPS [RFC2818] sites, if the > site embeds active content (e.g., JavaScript) that is fetched over > HTTP or from an untrusted site, because that JavaScript is executed > in the security context of the page [finer-grained]. I can't parse this sentence. Consider reworking. --------------------------------------------------------------------------- §4.2.3: > o Use or RTCP as an implicit reachability check. Nit: "Use of..." --------------------------------------------------------------------------- §4.2.4: > In addition, either side may wish to hide their location entirely by > forcing all traffic through a TURN server. Suggested improvement: "...hide their location from the other..." (to avoid implying that this hides their location from either the web server or the STUN server) --------------------------------------------------------------------------- §4.3: > However, we must examine this > technology to the WebRTC context, where the threat model is somewhat > different. Nit: "...in the WebRTC context..." --------------------------------------------------------------------------- §4.3: > MITM attack or by diverting them entirely. (Note that this attack Please expand "MITM" on first use. --------------------------------------------------------------------------- §4.3.2.1: > All the calling service needs to do to avoid > triggering a key continuity warning is to tell the browser that "this > is a call to user Y" where Y is close to X. I read the meaning of the term "close" here to mean "confusable with X," although it took some work to arrive at that conclusion. If "confusable" is the intention, I would suggest phrasing it in that way. --------------------------------------------------------------------------- §4.3.2.2: > simply ignore such indicators even in the rather more dire case of > mixed content warnings. Nit: "mixed-content" --------------------------------------------------------------------------- §4.3.2.3: > However, a new generation of Web-based identity > providers (BrowserID, Federated Google Login, Facebook Connect, > OAuth, OpenID, WebFinger), has recently been developed Consider adding informative citations for at least BrowserID, OAuth, OpenID, and Webfinger [RFC7033], if not the other systems. --------------------------------------------------------------------------- §4.3.2.4: > I.e., I must be able to verify that > the person I am calling has engaged a secure media mode. Is this possible in the general case? For non-browser endpoints (or for modified browswers), this verification seems to be impossible (unless I've missed some mechanism in the system that can guarantee this property). Clearly I'm not asking for a change in design, but it seems that this statement needs to be caveated to indicate that it requires trust in the remote endpoint to enforce the indicated policy, and that this trust cannot be verified; at least, not as WebRTC is designed today. A simple forward citation to §4.3.3 might serve the purpose. --------------------------------------------------------------------------- §4.4.1: > While persistent endpoint identifiers can be a useful security > feature (see Section 4.3.2.1 they can also represent a privacy threat Nit: missing a closing paren. --------------------------------------------------------------------------- §4.2.2: Consider citing https://www.w3.org/TR/fingerprinting-guidance/ for further information.
- [rtcweb] AD Review: draft-ietf-rtcweb-security Adam Roach
- Re: [rtcweb] AD Review: draft-ietf-rtcweb-security Sean Turner