Re: [secdir] WebRTC

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 08 April 2012 12:37 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0731221F853E for <secdir@ietfa.amsl.com>; Sun, 8 Apr 2012 05:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.187
X-Spam-Level:
X-Spam-Status: No, score=-100.187 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, TVD_SPACED_SUBJECT_WORD3=2.412, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ0iG6IOr6p9 for <secdir@ietfa.amsl.com>; Sun, 8 Apr 2012 05:37:38 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id C811421F84CD for <secdir@ietf.org>; Sun, 8 Apr 2012 05:37:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 2D026171478; Sun, 8 Apr 2012 13:37:36 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1333888655; bh=CN3nJTHG//yxN1 /Kyq1UAd4duWmBDhH+d1r0bPYYlYE=; b=OK4tzGXzRHu4bOwbo+Y1BqB7dvvZgI bkgbSdzqG5+A2KBwo09Da+0PrzRISGheZhUtjyqvrHUbdX9OK7W0ELkk1v+Mvoof RJEjqXwGCS52inPmBSxvDU/3FYrD2ixXXTv0JoALY12UmkZQlUXXbVbcJ2R6QQWF o3bO9wBwoGDBP0ALwKTVPp9XGEgQ8eDbR9d6kuZ78lV4IIlQY9KJ0gJtL0JIXvT7 HbghVtQq01PrWCvD5jpJLnkjSzf7bbFwQ71GzFqjmriGbS7puJuGnv0D2G2ZgHir m3NBu2WWrkwoeRaJgap89MkEPlogMAVuZhIdMDsuQWjx/0J7QDMzPqlw==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id j2LcLJdIErCp; Sun, 8 Apr 2012 13:37:35 +0100 (IST)
Received: from [10.87.48.4] (unknown [86.45.57.41]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 55202171471; Sun, 8 Apr 2012 13:37:32 +0100 (IST)
Message-ID: <4F81868C.3090601@cs.tcd.ie>
Date: Sun, 08 Apr 2012 13:37:32 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Hank Nussbacher <hank@efes.iucc.ac.il>
References: <5.1.0.14.2.20120408115646.03793228@efes.iucc.ac.il>
In-Reply-To: <5.1.0.14.2.20120408115646.03793228@efes.iucc.ac.il>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: secdir@ietf.org
Subject: Re: [secdir] WebRTC
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Apr 2012 12:37:39 -0000

Hi Hank,

This might be more appropriate for the security area
list [1] rather than the security directorate list.
(This one.)

Cheers,
S.

[1] https://www.ietf.org/mailman/listinfo/saag



On 04/08/2012 10:11 AM, Hank Nussbacher wrote:
> Dear Security Area people,
>
> Quick intro:
>
> WebRTC http://www.webrtc.org/ is a free, open project that enables web
> browsers with Real-Time Communications (RTC) capabilities via simple
> Javascript APIs. It is supported by Google, Mozilla and Opera. One can
> test it already in Chrome. Basically, it is meant to be a Skype
> replacement technology (no app to download - all built-in to the
> browser). But there are many other ideas that can be used here with this
> technology.
>
> Now we get to the security part. As stated here:
> http://www.webrtc.org/blog/webrtcnowavailableinthechromedevchannel
> one has to specifically enable "--enable-media-stream" in order to get
> it to work. That is now, but the future plan is to have this "on" by
> default in FF and Chrome by the end of 2012.
>
> So what does the IETF have to say:
>
> Security Considerations for RTC-Web
> http://tools.ietf.org/html/draft-ietf-rtcweb-security-01
> which caused:
> RTCWEB Security Architecture
> http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-01
> Section 5.2:
> "Clients MAY permit the formation of data channels without any direct
> user approval."
>
> I can just see new apps all over the place using this technology opening
> a huge can of worms for data stealing from the PC running the app that
> did NOT ask permission for the formation of a data channel without the
> direct user's permission. This is similar in concept to ActiveX:
> http://en.wikipedia.org/wiki/ActiveX
> "This made the web "richer" but provoked objections (since such controls
> ran only on Windows) and security risks (especially given the lack of
> user intervention). Microsoft subsequently introduced security measures
> to make browsing including ActiveX safer[6] . For example:
>
> digital signing of installation packages (Cabinet files and executables)
> controls must explicitly declare themselves safe for scripting
> increasingly stringent default security settings
> Internet Explorer maintains a blacklist of bad controls"
>
> Microsoft didn't envision the security issues of a "lack of user
> intervention" and it took them 3 years to add the appropriate knobs to
> make ActiveX more secure.
>
> I am not involved in WebRTC or the IETF group - I only found out about
> this incidentally. I raise this issue to you guys and leave it the
> Security Area to decide whether section 5 needs to be changed or not.
>
> Regards,
> Hank Nussbacher
>
>