Re: [tram] Review of draft-ietf-tram-auth-problems-00
Marc Petit-Huguenin <marcph@getjive.com> Wed, 30 April 2014 11:54 UTC
Return-Path: <marcph@getjive.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE39D1A6EF0 for <tram@ietfa.amsl.com>; Wed, 30 Apr 2014 04:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KuW1vMaNhBPu for <tram@ietfa.amsl.com>; Wed, 30 Apr 2014 04:54:32 -0700 (PDT)
Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 4BB131A08BD for <tram@ietf.org>; Wed, 30 Apr 2014 04:54:32 -0700 (PDT)
Received: by mail-ie0-f180.google.com with SMTP id as1so1768193iec.11 for <tram@ietf.org>; Wed, 30 Apr 2014 04:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=getjive.com; s=mail; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=4HpBPIusg6ieTSLZxpq6QlTumYmzD3BJXC5r+S9IxnI=; b=OWbkziE+imi7Nuc96mI+8UFeRng6IUNTkEP7W+oTbTveBfrNhYJob2yo4F0LJ9d9Bv fB4ovn/Xat+hPsRcsFVASBB9ex0/6vtVHgy383TXg8T/5dqGt4n9ZF/zTmqG8IyOUawp EitDCuGzHp8x9AOZtTkhmrlvAMIqve8WrhiDA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=4HpBPIusg6ieTSLZxpq6QlTumYmzD3BJXC5r+S9IxnI=; b=Pj+R6yp//3TWMteghNp+pTuWc+ZV8bezgpogiJeV2to3mLZnmjwK6/EZtR2WJ+wP7q MzMPA4zEExj47Xhp40LQ/EcoW1MeLvsTxJCyolyKI5shW+YpiobF+NJrgFkHJ6CZMJFZ JZ6FFC2Qi0whfCP4lkdtS/ZF2FBFskjC7af7v0SxQtcGPyRqDCD7+6eRpCeNn7fbetLR fid8s1ugtgVf/ApoId3J1pxvCiknts5YikNrsot/g9CmBRp0DZ9XF/D0zaqZtdFeRlz9 Vbc3oGkW8k3vbnQ0eYfTdUKqJNtdsyZN2xVsh5GxLbzlZ/reBg981BNsHOgMbLFskpNs FPSQ==
X-Gm-Message-State: ALoCoQklGwfebWJE5cML31VvQNdTYaXpjjsowPZktFcQ+JyLCVPWITK1y1S5i8sYQ15Sq+95yxm5
X-Received: by 10.50.62.51 with SMTP id v19mr37339677igr.21.1398858870038; Wed, 30 Apr 2014 04:54:30 -0700 (PDT)
Received: from jivecommunications.com ([199.87.120.129]) by mx.google.com with ESMTPSA id vm7sm5277741igb.1.2014.04.30.04.54.28 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Apr 2014 04:54:29 -0700 (PDT)
Message-ID: <5360E46B.8080103@getjive.com>
Date: Wed, 30 Apr 2014 05:54:19 -0600
From: Marc Petit-Huguenin <marcph@getjive.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "tram@ietf.org" <tram@ietf.org>
References: <913383AAA69FF945B8F946018B75898A2431E0B5@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A2431E0B5@xmb-rcd-x10.cisco.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="ab24ecJTsqxh5A07Mkq872e5nC2mURxD8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/Kd02rPc0Cz91nMKTsbj5ObiccpA
Subject: Re: [tram] Review of draft-ietf-tram-auth-problems-00
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 11:54:34 -0000
On 4/29/14, 8:15 PM, Tirumaleswar Reddy (tireddy) wrote: > Hi Marc, > > Thanks for the review. Please see inline > >> -----Original Message----- From: tram >> [mailto:tram-bounces@ietf.org] On Behalf Of Marc Petit-Huguenin >> Sent: Friday, April 18, 2014 8:27 PM To: tram@ietf.org Subject: >> [tram] Review of draft-ietf-tram-auth-problems-00 >> [...] > > A6. Section 4, 5th bullet > > Note that this applies only to the TCP and UDP transports, as SNI > can be used to select the tenant/realm when TLS or DTLS is used. > >> The need for ORIGIN attribute even if D{TLS} is used is discussed >> in http://tools.ietf.org/html/draft-johnston-tram-stun-origin-02 Right. I did a review (yet to be published) of stun-origin after this one. > > > A7. Section 4, 6th bullet. "This exposes the user credential to the > Javascript which could be malicious". > > It is only a problem if somehow the web server sends a user/password > that can be used to access something else than the TURN server > resources. It is not a problem created by the long-term > authentication, but by bad code or misconfiguration on the server > side. > >> The problem is that long-term credentials (username/password) must >> be exposed to the java script code which could be malicious. For >> example refer to the sample java script code in slide 2 of >> http://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf >> where RTCPeerConnection API needs the client username/password. >> The credentials could be leaked by a malicious java script, thus >> resulting in TURN server access to be misused. > > If you really insist on saying something about this, it should about > how long-term authentication creates the possibility that a web > server sends credentials that can be reused elsewhere. I think that > the 3rd bullet as the same issue: Privacy leakage is not a > consequence of using long-term authentication, but of using > usernames that can be matched with a real person or that can be > reused to access other resources. > >> Agreed. > >> NEW: > >> 3. The long-term credential mechanism in [RFC5389] requires that >> the TURN client must include username value in the USERNAME STUN >> attribute. An adversary snooping the TURN messages between the >> TURN client and server can identify the users involved in the call >> resulting in privacy leakage. If TURN usernames are linked to real >> usernames then it will result in privacy leakage, but in certain >> scenarios TURN usernames need not be linked to any real usernames >> given to users as they are just provisioned on a per company >> basis. > >> .... .... > > >> 7. In WebRTC the Javascript code needs to know the username and >> password to use in W3C RTCPeerConnection API to access the TURN >> server. This exposes the user credentials to the Javascript which >> could be malicious. The malicious java script could misuse or leak >> the credentials. If the credentials happen to be used for >> accessing services other than TURN then the security implications >> are much larger. That looks fine. > > A7. Section 8. References > > I think that because this is an Informational document, all the > references must be Informative. > >> I think informational document can have normative references. For >> example check RFC7152, RFC 6819. > OK. Thanks. -- Marc Petit-Huguenin Developer | Jive Communications, Inc. Jive.com | marcph@getjive.com
- [tram] Review of draft-ietf-tram-auth-problems-00 Marc Petit-Huguenin
- Re: [tram] Review of draft-ietf-tram-auth-problem… Tirumaleswar Reddy (tireddy)
- Re: [tram] Review of draft-ietf-tram-auth-problem… Marc Petit-Huguenin