Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)

Randell Jesup <> Fri, 11 November 2011 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A66621F8AF2 for <>; Fri, 11 Nov 2011 10:46:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.562
X-Spam-Status: No, score=-2.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xId+iiBXtpkg for <>; Fri, 11 Nov 2011 10:46:38 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3860121F8A97 for <>; Fri, 11 Nov 2011 10:46:38 -0800 (PST)
Received: from ([] helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <>) id 1ROw7Z-0000K1-BB for; Fri, 11 Nov 2011 12:46:37 -0600
Message-ID: <>
Date: Fri, 11 Nov 2011 13:45:55 -0500
From: Randell Jesup <>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Subject: Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Nov 2011 18:46:39 -0000

On 11/11/2011 8:38 AM, Hadriel Kaplan wrote:
> On Nov 11, 2011, at 7:02 AM, Roman Shpount wrote:
>> Well, this is a perfect example when specifying mandatory security for wrong reasons is simply being ignored. All the reactions I've seen to this so far were "this is only a SHOULD, let's disregard this for now". Getting security requirements in the standard which are too high too be practical usually produces products which disregard security completely, reaching the exactly opposite effect. I think, in this particular case, the right course of action is to use AVT tones in RTP as the rest of the industry is doing now.
> I think using in-band tones in RTP for DTMF instead of 4733 would be a really bad idea.

+10.  Let's not even discuss that option further.

>> Finally, (going slightly off topic here) it would probably be a good idea to make key exchange part of the initial ICE transaction. This way we can use this key exchange as an additional verification of the remote party, and reduce the number of round trips required before the media flow is established.
> That's an interesting idea.  The extra round trips of DTLS-SRTP, added to those of ICE, have had me worried about clipping when the user answers the call.  It's been an advantage of SDES not to worry about that.

Anything we can do to minimize clipping and reduce startup RTTs is a 
*very* good thing.  We should start seriously analyzing this as we're 
getting down to more specifics.

And recent privacy breaches have shown that otherwise-good pre-warming 
of connections and pre-negotiation of codecs may be problematic from a 
security point of view - exchanging ICE candidates with an incoming 
OFFER from your abusive ex-boyfriend might tell them where you are 
(local IP), though it would be possible for people not wanting to 
disclose their address to *require* a TURN proxy be in use and not offer 
local IP, limiting the leaked information.  This does require proactive 
selection of safety by the user, a risky proposition.

As a possible compromise, you could force TURN for the pre-start of the 
call and if accepted, renegotiate with real local addresses.  Might 
cause a glitch though if you're not careful.

Randell Jesup