Re: [rtcweb] Consensus call regarding media security

[Basil Mohamed Gohar <abu_hurayrah@hidayahonline.org>]

On 03/28/2012 01:56 PM, Iñaki Baz Castillo wrote:
> 2012/3/28 Roman Shpount <roman@telurix.com>:
>> As I have mentioned before on this list I am strongly against making SRTP
>> protection for RTP a requirement. I think this is an unnecessary requirement
>> that serves little real purpose except feeding into some marketing message
>> that most of the WebRTC users would not care about. Unless use of identity
>> is also a requirement, requiring SRTP will provide security only in a very
>> narrow sense of the word. At the same time I do believe that extra standard
>> requirements will stifle innovation and  will complicate new service or
>> application creation.
> SRTP (with SDES so without identity authentication) is still much
> better than plain RTP, right? If I'm in an airport connected to an
> open WiFi network, but I use HTTPS/WSS for signaling from my WebRTC
> browser, then I can be sure that no one in the airport can intercept
> my media streams (using SRTP-SDES).
>
> Of course this does not solve the fact that there could be some MiM
> attacker somewhere in the signaling path, but NOT in the airport! What
> is sure is that if I was using plain RTP then everyone in the open
> WiFi network could intercept my media streams.
>
> IMHO it's really clear that SRTP (even with SDES) is MUCH better than
> plain RTP. And so far I have not heard any advantage fof allowing
> plain RTP other than "it allows interoperability with my 5 years ago
> SIP device".
>
> So +1 for the voted consensus.
>
> Regards.
This captures the sentiment of what I was trying to convey.  So, +1 to
this explanation.