Re: [rtcweb] Consensus call regarding media security
Roman Shpount <roman@telurix.com> Thu, 29 March 2012 14:31 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD83721E81B9 for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 07:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[AWL=-0.016, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b-zug42Gb5yR for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 07:31:16 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5B34421F869D for <rtcweb@ietf.org>; Thu, 29 Mar 2012 07:31:16 -0700 (PDT)
Received: by yenm5 with SMTP id m5so1646655yen.31 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 07:31:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=dnQFRPqM4R1DhrpXC5RdqPiEj2GEKcW6DW3Vkco/m4Y=; b=bOo9HxvGxteEUWy2bOZafjbWxv6V8XwgPRvSEs2wDMlg3iGwHV+c6093G3ryQTAQiv paLtQ6a1qmJj1vyiG6k1bM9RohERy7TdUrEh6h96x/MaVDD7QABfGSGrOULC+8GrlNw3 tE9sNialTVuS6Mwzb6cV46TMJenSc6K+JynHt9nFDj95E3jYX6QPHDZdLb5obhIdr3Vq plA/7V7DJBUjXcTGZifbEgdQEMSXSrMNOL4PYYW9exC6vyiGHwqeKha7l9wTJV2lsJa+ S+OpliEq2RGXGtXlNuXuLPgB/wGg2Sjw5aQ9qyIu3erXC0amhMci8rpXOmeKVGBUmPq2 lC4Q==
Received: by 10.236.161.72 with SMTP id v48mr26374676yhk.112.1333031475991; Thu, 29 Mar 2012 07:31:15 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by mx.google.com with ESMTPS id f40sm8101883ani.16.2012.03.29.07.31.13 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Mar 2012 07:31:14 -0700 (PDT)
Received: by yenm5 with SMTP id m5so1646607yen.31 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 07:31:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.240.6 with SMTP id vw6mr570240pbc.76.1333031473312; Thu, 29 Mar 2012 07:31:13 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Thu, 29 Mar 2012 07:31:13 -0700 (PDT)
In-Reply-To: <CAOJ7v-0ePiqkrswGbvLZTrZCPFLGxy6KCg79kiMRtLGR9PqeOg@mail.gmail.com>
References: <4F732531.2030208@ericsson.com> <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com> <CALiegfn4MZYb-qCnM62T7w4EgWqrC5baN+pAYBZF84kEA7Ko6A@mail.gmail.com> <CAD5OKxtDED1vSFrw4V9TKkUzdSSXNg+S_WBrxmnFo21hjJvqMA@mail.gmail.com> <4F737DB3.5020804@hidayahonline.org> <CAD5OKxuJq7x-_QTK49ZEgeBhMLhYQimPcs3g-BDM6vYWdH5Lng@mail.gmail.com> <CAOJ7v-0ePiqkrswGbvLZTrZCPFLGxy6KCg79kiMRtLGR9PqeOg@mail.gmail.com>
Date: Thu, 29 Mar 2012 10:31:13 -0400
Message-ID: <CAD5OKxvVkiFK06nOnLqGXaj7mR-WvJ9tcnDdZo-XegF4qiQ7bg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Justin Uberti <juberti@google.com>
Content-Type: multipart/alternative; boundary="047d7b3395a170f41304bc6293b0"
X-Gm-Message-State: ALoCoQnO2l025ptds4dXRrmLQ/3xeItqGUQcH4HbMZRkCdGJF9rgOQeKi2UIVJXGxnAsmWT3nokc
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 14:31:18 -0000
On Thu, Mar 29, 2012 at 10:00 AM, Justin Uberti <juberti@google.com> wrote: > This is FUD. Google+ Hangouts uses libsrtp for all of its calls, and over > the billions of minutes of call time to date, we haven't seen any crash > bugs that could be blamed on libsrtp. And we track this stuff pretty > closely. > > > This is not a FUD. Even with 100s of millions of secured minutes we are pushing we see new libsrtp related problems on a weekly basis. I gave you a reference to the Asterisk bug. This bug is addressed in sourceforge, but present in the download library (1.4.4) that is included in a lot of the products. This bug guarantees a crash in case RTCP and even small packet loss are present. You can try to run crypto_get_random in a loop until it generates an error. Simple and easy to reproduce bug. There is probably more, but it is outside of the scope of this list. If you want to do your users a favor -- swap this lib out from your code. You probably have a much better crypto utilities (random, AES) in other code you use, such as OpenSSL. The rest is trivial to re-implement and it will make the result product faster and more secure. _____________ Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- [rtcweb] Consensus call regarding media security Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Igor Faynberg
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Kevin P. Fleming
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Hadriel Kaplan
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Dan Wing
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Timothy B. Terriberry
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Bernard Aboba
- Re: [rtcweb] Consensus call regarding media secur… Justin Uberti
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Basil Mohamed Gohar
- Re: [rtcweb] Consensus call regarding media secur… Hutton, Andrew
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Fabio Pietrosanti (naif)
- Re: [rtcweb] Consensus call regarding media secur… Ravindran, Parthasarathi
- Re: [rtcweb] Consensus call regarding media secur… jesse
- Re: [rtcweb] Consensus call regarding media secur… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- Re: [rtcweb] Consensus call regarding media secur… Roman Shpount
- [rtcweb] Which servers to trust (Re: Consensus ca… Harald Alvestrand
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Which servers to trust (Re: Consensu… Randell Jesup
- Re: [rtcweb] Which servers to trust (Re: Consensu… Iñaki Baz Castillo
- Re: [rtcweb] Consensus call regarding media secur… Magnus Westerlund
- Re: [rtcweb] Consensus call regarding media secur… Eric Rescorla