Re: [irsg] Meetecho for interims?
Toerless Eckert <tte@cs.fau.de> Mon, 03 August 2020 13:58 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: wgchairs@ietfa.amsl.com
Delivered-To: wgchairs@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9168A3A0AA2 for <wgchairs@ietfa.amsl.com>; Mon, 3 Aug 2020 06:58:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.655
X-Spam-Level:
X-Spam-Status: No, score=0.655 tagged_above=-999 required=5 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.652, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6Xy_K2QnZi5 for <wgchairs@ietfa.amsl.com>; Mon, 3 Aug 2020 06:58:08 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B1BC3A0A9B for <wgchairs@ietf.org>; Mon, 3 Aug 2020 06:58:08 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 956F6548068; Mon, 3 Aug 2020 15:58:03 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 8C7F1440059; Mon, 3 Aug 2020 15:58:03 +0200 (CEST)
Date: Mon, 03 Aug 2020 15:58:03 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Carsten Bormann <cabo@tzi.org>
Cc: Leif Johansson <leifj@sunet.se>, WG Chairs <wgchairs@ietf.org>
Subject: Re: [irsg] Meetecho for interims?
Message-ID: <20200803135803.GM1772@faui48f.informatik.uni-erlangen.de>
References: <B3C59EE7-67C5-44F1-9A1B-6453267B8B58@tzi.org> <C0FD0348-93CD-417E-93E2-F8FA987C0A93@sunet.se> <07039CD4-D25E-46A3-A4AA-D34039AD5C35@tzi.org> <20200802025303.GG1772@faui48f.informatik.uni-erlangen.de> <EE6B8F66-D331-48CE-AE76-6972FD5CEB11@tzi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <EE6B8F66-D331-48CE-AE76-6972FD5CEB11@tzi.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/wgchairs/prO4B9mSHjNuj5OhUfjVJEZt2wk>
X-BeenThere: wgchairs@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Working Group Chairs <wgchairs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wgchairs/>
List-Post: <mailto:wgchairs@ietf.org>
List-Help: <mailto:wgchairs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wgchairs>, <mailto:wgchairs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 13:58:11 -0000
On Sun, Aug 02, 2020 at 09:28:20PM +0200, Carsten Bormann wrote:
> Hi Toerless,
>
> I really didn???t want to further extend this part of the thread.
I actually find it quite important that we had more of this type of discussion about actually
system-level security considerations instead of just the end-to-end transport channel crypto.
Of course, this may not be the right thread, and its also unclear what type of draft document
couldn/should be created from this, but it would be a pity of this wasn't something that
ended up in a place where it could be educational to more IETF'ler'. Especially with all
the interesting references you've collected already.
> > What specifically are the technical risks for which you would not have joined
> > a ZVC meeting, such as one of the IETF108 side meetings that used zoom ?
> > (or for that matter of course future interims, which this thread is about)
>
> The technical risks, and ZVC???s moves to appear getting them covered, are well documented. I cited Steven Bellovin???s piece that came to the conclusion that these are manageable for the kinds of communication that are similar to what we do in open meetings. (I don???t agree with respect to system security.)
I saw a range of discuss worthy aspects in Steven's document:
a) unless i overlooked something, he just said that he mistrusts browsers more...because of they multi-application/CORS atack surface (i guess). Sounds to me like a reasonable argument, but one that might be possible to overcome if we had a model by which you could start instances of browser (such as in a container model) constrained to a specific (set of) URLs it can access. Many Android Apps AFAIK are just those type of shims on top of browser rendering too. Just no well established model on desktops AFAIK.
b) He rightfully points out that malicious client code is the weakest link, especially when it is written by entities that could be extorted by governments. Unfortunately he then still goes on to claim Zoom is less to be trusted than Cisco given how Zoom has Chinese based development. The same of course is true for Webex. And the extend to which USA lawful intercept can be applied not only to SP but also to software vendors seem to be quite unclear and unknown. Especially given how few such vendors even have warrant canaries to indicate when they had a run in with the US security agencies.
> However, the reason I???m not going to join conferences based on ZVC products is mainly Ethical, with the technical issues playing second fiddle.
> > If the reason is fear of unknown undetected security risk due to lack of
> > trust into the security diligence of ZVC, would using the RTCweb browser
> > client instead of the native client resolve this issue ?
>
> Certainly not the Ethical issues. On the technical side, I do believe that I should prefer browser access over installing vendor-supplied apps with wide access to my system. But, again, see Steve???s counterpoint on this specific issue.
I am wondering how a javascript client is not also easier decoded and analyzed.
But ideally, the javascript browser clients could/should be open source.
> As a general observation, it is enlightening to which level of criminal energy (technical term here, not the legal one) the ZVC developers have risen to circumvent CORS for their backdoor; it does not seem far-fetched to assume there will be other attacks on browser security when the browser security features happen to get in the way of ZVC corporate policy.
I wonder if there are good written standards for security development
from which the judgements ("criminal energy") that you are making could be
drawn. E.g.: I would not be surprised to hear competely differently
worded judgement calls from other evaluations and i therefore think
there are no good "community" ? "industry" ? standard for such judgmenets.
Or are there ?
> > If we want future interims like past interims to be publically announced
> > without participant auhentication, i think zoombombing would be a risk
> > for any platform we choose: meetecho, webex, zoom, BBB, whatever.
>
> Even discussing Zooombombing as a security issue makes me question whether you have started to consider the real issues. However, let me point out that conferencing systems based on authorization, such as meetecho or BBB (if correctly configured) only have the problem as far as the authorization can be gamed.
I didn't say security. Just a list of issues to consider.
I think we are in full agreement that user authentication is probably the easiest
way to avoid zoomboming (whatever tool we use). However, the current datatracker
account (manually created) and paywall, single-instance participation only are
too limited to widen the use of meetecho to all the cases we would want to support IMHO.
> > Leaves as the biggest risk AFAIK the problem of clients creating backdoors,
> > and i would hope that w3c/ietf work on browser client platform security
> > would be sufficient.
>
> (See above.)
>
> Fool me once, shame on you; fool me twice, shame on me.
Cheers
Toerless
> Grüße, Carsten
--
---
tte@cs.fau.de
- Meetecho for interims? John Scudder
- Re: Meetecho for interims? Benjamin Kaduk
- Re: Meetecho for interims? Fred Baker
- Re: Meetecho for interims? Jeff Tantsura
- Re: Meetecho for interims? Jim Fenton
- Re: Meetecho for interims? Spencer Dawkins at IETF
- Re: Meetecho for interims? Carsten Bormann
- Re: Meetecho for interims? Leif Johansson
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Leif Johansson
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Toerless Eckert
- Re: [irsg] Meetecho for interims? Carsten Bormann
- Re: [irsg] Meetecho for interims? Toerless Eckert