Re: [rtcweb] Consensus call regarding media security

Iñaki Baz Castillo <ibc@aliax.net> Wed, 28 March 2012 17:56 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2081C21E80A4 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 10:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.624
X-Spam-Level:
X-Spam-Status: No, score=-2.624 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGHxeaMOMrgK for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 10:56:46 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 890DB21E809F for <rtcweb@ietf.org>; Wed, 28 Mar 2012 10:56:46 -0700 (PDT)
Received: by vcbfk13 with SMTP id fk13so1062585vcb.31 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 10:56:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=r7sJpicDr0iqEwY8SD7j+XEQGCbKhfyaVeeCSc7TW+A=; b=lPVbO4nE5gtfdISbt+wLiPy+siNW7ggPQoCnyIl015LZJYwG8cgaA/NEy7UwsCIA0e 8J+PqKzoclELw056SVIrRDKAJifZUyTsSTEHuxjBvH2MkS7swL12GVpWduzpfvt0miAs zLzJI5b/rHh5lnav3YrcSmaAbKBsnmCEJJvwHd4pedchAD3t4IGv73Orm8GSEeur6/be dZthPzPmXGCjwuC3wS2gy4iInMu16lk74wLdCUibsSklCftF7pXGlRyTYja08mXQD4R2 CajfKBGu9C3ze1ZIL8Q88NfwAe09baAWOw49nNPLCyaBqyZuS9VBzE+yi2klrfYkrB0X IyGA==
Received: by 10.52.15.233 with SMTP id a9mr1183079vdd.34.1332957406074; Wed, 28 Mar 2012 10:56:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.170.165 with HTTP; Wed, 28 Mar 2012 10:56:23 -0700 (PDT)
In-Reply-To: <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com>
References: <4F732531.2030208@ericsson.com> <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
Date: Wed, 28 Mar 2012 19:56:23 +0200
Message-ID: <CALiegfn4MZYb-qCnM62T7w4EgWqrC5baN+pAYBZF84kEA7Ko6A@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQlonGdXThyfwYP3YFwNVBa9LO2aAyqoL2F1VDaOO+drZVulETy4fUHp4rrVL6fwVNCn4AHv
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 17:56:47 -0000

2012/3/28 Roman Shpount <roman@telurix.com>om>:
> As I have mentioned before on this list I am strongly against making SRTP
> protection for RTP a requirement. I think this is an unnecessary requirement
> that serves little real purpose except feeding into some marketing message
> that most of the WebRTC users would not care about. Unless use of identity
> is also a requirement, requiring SRTP will provide security only in a very
> narrow sense of the word. At the same time I do believe that extra standard
> requirements will stifle innovation and  will complicate new service or
> application creation.

SRTP (with SDES so without identity authentication) is still much
better than plain RTP, right? If I'm in an airport connected to an
open WiFi network, but I use HTTPS/WSS for signaling from my WebRTC
browser, then I can be sure that no one in the airport can intercept
my media streams (using SRTP-SDES).

Of course this does not solve the fact that there could be some MiM
attacker somewhere in the signaling path, but NOT in the airport! What
is sure is that if I was using plain RTP then everyone in the open
WiFi network could intercept my media streams.

IMHO it's really clear that SRTP (even with SDES) is MUCH better than
plain RTP. And so far I have not heard any advantage fof allowing
plain RTP other than "it allows interoperability with my 5 years ago
SIP device".

So +1 for the voted consensus.

Regards.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>