[secdir] secdir review of draft-ietf-rtcweb-security-arch-11

Tobias Gondrom <tobias.gondrom@gondrom.org> Sat, 03 October 2015 22:29 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 703541A876F; Sat, 3 Oct 2015 15:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.664
X-Spam-Status: No, score=-96.664 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=1.951, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bTLbXfK0WkyY; Sat, 3 Oct 2015 15:29:09 -0700 (PDT)
Received: from lvps5-35-241-16.dedicated.hosteurope.de (www.gondrom.org []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC9EC1A872F; Sat, 3 Oct 2015 15:29:08 -0700 (PDT)
Received: from [] (f048029132.adsl.alicedsl.de []) by lvps5-35-241-16.dedicated.hosteurope.de (Postfix) with ESMTPSA id 6FB8763CBA; Sun, 4 Oct 2015 00:29:05 +0200 (CEST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=dJ+e5ETfdVbDX2Smioq5a5DwxOjE9IUYMfG5OEj0Yh90eWfdDNBQ6TfV3M+zLfVnj2tAoKzDNuDFWOsHVzJx5R7a2EQoJDcmR1VBGkUuqCLCoyuICyGStbGtuveaJ1EYpw7q1YqoE5QDyH+wnnNKGbje+LXo7BYWq3AlvumM++E=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type;
Message-ID: <561056B0.8080700@gondrom.org>
Date: Sun, 04 Oct 2015 00:29:04 +0200
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-rtcweb-security-arch.all@tools.ietf.org
Content-Type: multipart/alternative; boundary="------------040801050908060007020809"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/9eyaedRDLr08E_3E6i6EaDSG5Gw>
Subject: [secdir] secdir review of draft-ietf-rtcweb-security-arch-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Oct 2015 22:29:12 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors. Document editors and WG chairs should treat 
these comments just like any other last call comments.

The draft aims for proposed standards and defines the security 
architecture for WebRTC.

The document appears in reasonably good shape.
There are still several open issues (TBDs) in the document that need to 
be completed before publication.

Below a series of my own comments, discuss elements and questions for 
your consideration.

section 3 Trust Model:
s/rooted in the browser/rooted in the browser and the underlying 
operating system
(the requirements for the integrity of the system underneath the browser 
does not go away. Furthermore the browser does rely on some trust and 
crypto functionality provided by the underlying OS.)

Question: what security risks does the connection from Bob to IdP1 (the 
IdP from Alice) create?

DISCUSS: Section 4.1:
"This does not require a security check: JS from any origin is allowed 
to get this far."
Comment: Maybe the wording is unprecise, or if it is intended as I read 
it than I beg to disagree. There are several security concerns if that 
would be the case. Just a few examples, I am sure there are plenty more:
1. privacy concerns if you can trigger someone initiating a call
2. Denial of service scenarios, creation of PeerConnections or the 
scenario of "the great cannon of China" comes to mind, in which you can 
let other people flood a recipient with call requests.

COMMENT: Section 4.1. paragraph 6:
s/preferably over TLS/it SHOULD use TLS.
If possible, I would even go for "MUST", but I am not sure about whether 
there are legitimate use cases that require non-TLS?
(e.g. we want avoid resource consuming, spoofing and replay attacks)

COMMENT: Section 4.3. last paragraph:
"Even if they do not use an IdP, as long as they have minimal trust in 
the signaling service not to perform a man-in-the-middle attack, they 
know that their communications are secure against the signaling service 
as well (i.e., that the signaling service cannot mount a passive attack 
on the communications)."
=> This reads confusing. IMO if they are not using an IdP, they can not 
assume that their communications are secure against the signalling 
service MitM attack.

Question on Section 5.2
"Requests for one-time camera/microphone access." does the "one-time 
access" have a time-out after some time, or max duration? How long would 
that be?

At end of Section 5.2: there is still an open issue to be resolved by 
the WG. Note: It definitely requires a higher / different level of 
explicit consent, as it allows access to a third resource.

Question on Section 5.5.:
Do we need to assert that the client provide UI information from which 
peer the current stream is coming from?
Assuming you have 3 or more peers (A, B and C) in a meeting, can you 
avoid that B replays the voice of A in effect spoofing him to C on the 
application layer?

Question on section 5.6.5.:
does this naming scheme also consider subdomains?
The example in the last paragraph seems to normalize 
identity.example.com to https://example.com/.well-known/idp-proxy/example?

Question on section 5.7.1.:
Do you need to support UNICODE characters for identities?
Preferably, I would like to avoid such, as that could cause it's own set 
of potential problems with similar looking codepoints....

Section 6: Security Considerations
refers to draft-ietf-rtcweb-security-08 which is scheduled to be 
reviewed by another member of Secdir.
Please note that I have browsed the referred draft but did not conduct a 
deep review of the other ID. Some of my questions above might have been 
addressed there.

Section 6.3. states that "On the other hand, signing the entire message 
severely restricts the capabilities of the calling application, so there 
are difficult tradeoffs here." Actually my assumption was that the 
entire signalling message would be signed. What are the implied 
restrictions that prevent that from happening? Is there a way we could 
allow for that?

Question on Section 6.4.2. IdP Well-known URI
Assuming a server that does not host an IdP nor is aware of the special 
semantics of this "well-known URI".
Would an attacker with access to this initially empty structure be able 
to create a working IdP and assert identities for the domain of that 
server that might supersede other 3rd-party IdP servers?

COMMENT on section and
It seems the text is suggestion that popup blocking and third party 
cookie blocking are not compatible with using an IdP. I would recommend 
a statement that sites SHOULD (MUST?) implement in a way that they still 
function with client side popup blocking and third party cookie blocking.

A general question from a risk perspective:
I wonder whether an IdP can by providing the identity assertions for the 
users determine a very detailed record of all call metadata (time, src, 
dst, ...) of all communications for a user. Are there any abstraction 
mechanisms we could deploy to limit that exposure to the IdP? On the 
other hand, is the identity assertion linked to a system time, to avoid 
later replay attacks?

Thank you and best regards.