Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)

Roman Shpount <roman@telurix.com> Fri, 11 November 2011 12:02 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77D3321F8593 for <rtcweb@ietfa.amsl.com>; Fri, 11 Nov 2011 04:02:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.897
X-Spam-Level:
X-Spam-Status: No, score=-2.897 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNvp1757YShB for <rtcweb@ietfa.amsl.com>; Fri, 11 Nov 2011 04:02:35 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 596D621F8548 for <rtcweb@ietf.org>; Fri, 11 Nov 2011 04:02:35 -0800 (PST)
Received: by gye5 with SMTP id 5so3382694gye.31 for <rtcweb@ietf.org>; Fri, 11 Nov 2011 04:02:35 -0800 (PST)
Received: by 10.101.4.20 with SMTP id g20mr5666387ani.73.1321012954603; Fri, 11 Nov 2011 04:02:34 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by mx.google.com with ESMTPS id f32sm33149203ani.20.2011.11.11.04.02.32 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 11 Nov 2011 04:02:33 -0800 (PST)
Received: by ywt34 with SMTP id 34so2215119ywt.31 for <rtcweb@ietf.org>; Fri, 11 Nov 2011 04:02:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.31.170 with SMTP id b10mr24056389pbi.18.1321012951954; Fri, 11 Nov 2011 04:02:31 -0800 (PST)
Received: by 10.68.62.170 with HTTP; Fri, 11 Nov 2011 04:02:31 -0800 (PST)
In-Reply-To: <CCF4FC92-D5AA-43C8-A0B2-8041C9B8E1BD@edvina.net>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <5454E693-5C34-4C77-BA07-2A9EE9EE4AFD@cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C01349FFE@inba-mail01.sonusnet.com> <1D062974A4845E4D8A343C653804920206D3B7FD@XMB-BGL-414.cisco.com> <387F9047F55E8C42850AD6B3A7A03C6C0134A105@inba-mail01.sonusnet.com> <1F2A2C70609D9E41844A2126145FC09804691DA2@HKGMBOXPRD22.polycom.com> <CALiegfmf59jb4asUu9LA6YY_aMtKEnM1Wy34KbuLEn3_h1xBXA@mail.gmail.com> <CALiegfmM1PB=VAQjfh4rW3-3C8aumHdWy9nZxD0-BWBq9Kq_tg@mail.gmail.com> <1D062974A4845E4D8A343C653804920206D3BA57@XMB-BGL-414.cisco.com> <CALiegfkWnRT8m4S9pXTxuLsc-p_bhkG3d=PX3qgiFFt5gW5yfw@mail.gmail.com> <CAD5OKxvQYVKOZF88WLCiRseg-qXQdOpKeDU_t9b-yA2GcDBT-w@mail.gmail.com> <CABcZeBOiPxz_swdaG6Aqoch1WAUtjNh4eOQy1QObCDXT_B8azg@mail.gmail.com> <CAD5OKxtp+LQBRCHgbWdJyrSRcpNQ82i64TJgGtGPrE7+GKcEog@mail.gmail.com> <4EBC3475.90706@alvestrand.no> <CAD5OKxu_-+ZRsqpUBkFSj=tYtOKG0pK3JoQTZHwQGMuBCnp0Gw@mail.gmail.com> <CAD5OKxuaWJ3SBv+0gac6EQy6-Lsb-LS_SBXk5FqObKy4mN6wNg@mail.gmail.com> <CCF4FC92-D5AA-43C8-A0B2-8041C9B8E1BD@edvina.net>
Date: Fri, 11 Nov 2011 07:02:31 -0500
Message-ID: <CAD5OKxs-pWwDBjwAu=mQVWRZa4H_YPpzQ31=0qxUUj-pJOErcg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: "Olle E. Johansson" <oej@edvina.net>
Content-Type: multipart/alternative; boundary=bcaec520f2afbeb61904b1744be8
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Traffic should be encrypted. (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2011 12:02:36 -0000

On Fri, Nov 11, 2011 at 3:49 AM, Olle E. Johansson <oej@edvina.net> wrote:

> If you support DTMF in RTP you already have a requirement that you SHOULD
>  only do that over SRTP. If rtcweb supports telephony-events, we are
> already on the SRTP side as almost mandatory. I think it's easier to reach
> an agreement on SRTP being mandatory than DTMF being dis-allowed.
>
>
Well, this is a perfect example when specifying mandatory security for
wrong reasons is simply being ignored. All the reactions I've seen to this
so far were "this is only a SHOULD, let's disregard this for now". Getting
security requirements in the standard which are too high too be practical
usually produces products which disregard security completely, reaching the
exactly opposite effect. I think, in this particular case, the right course
of action is to use AVT tones in RTP as the rest of the industry is doing
now.

Also, I wanted expand on the debug requirements: I do hope we will make key
exchange mechanism, different from SDES, mandatory for WebRTC. Passing
actual encryption keys through JavaScript makes media encryption to easy to
circumvent. This means some type of public/private key encryption used for
key exchange. If we do this right, getting to the actual key used for media
session encryption will be very difficult, so most of the tools currently
used for SRTP debugging will stop working. We will also end up with
something new, which will mean extensive need for debugging. Ability to
turn this component on and off will be very helpful for implementation
debugging. Once again, this will probably be not a critical point, but
making something easier for developers usually goes a long way in driving
the adoption.

One more benefit of having RTP as fallback for legacy interop is that it
will allow us to specify something that will be more secure for WebRTC. If
SDES support would no longer be needed, we can concentrate on using key
exchange mechanism that is actually secure.

Finally, (going slightly off topic here) it would probably be a good idea
to make key exchange part of the initial ICE transaction. This way we can
use this key exchange as an additional verification of the remote party,
and reduce the number of round trips required before the media flow is
established.
_____________
Roman Shpount