Message info
 
To:Fabio Pietrosanti (naif) From:Roman Shpount Subject:Re: [rtcweb] SRTP and "marketing" Date:Thu, 29 Mar 2012 02:45:55 -0400
 


On Thu, Mar 29, 2012 at 2:27 AM, Fabio Pietrosanti (naif) <lists@infosecurity.ch> wrote:
On 3/29/12 7:42 AM, Roman Shpount wrote:
> I actually believe that if sufficient
> monitoring constraints are not build into a browser (not to record but
> at least to monitor who the browser is exchanging data with and using
> what protocols), WebRTC would be simply disabled in most enterprises as
> a security risk.

Your concern would be addressed by the use of SDES-SRTP rather than
DTLS-SRTP.

SDES-SRTP would provide, in the context of WebRTC, the transport of SDES
key over HTTP(S) and so would let all existing methods for HTTP/HTTPS
inspection to works fine.

Technology for inspection of HTTP/HTTPS traffic already exists, are
widely deployed and so if we transport keying material over HTTP (with
SDES-SRTP), all Enterprises will already have their existing
infrastructure in-place.

I am not sure I would agree with this. In order for what you propose to work there is a need for a reliable mechanism to extract SDP from HTTP/HTTPS traffic. This is not as simple as you would think, since JavaScript application can use any custom protocol to transmit the SDP data. It can, for instance, even implement encryption in JavaScript that will encode SDP using user supplied key, which would make SDP extraction impossible. In order to implement such inspection we need to have some sort of hook in the browser that allows an external entity to intercept and examine all the SDP being passed to and from WebRTC. Without such hook there is no benefit to SDES. With such hook there is no downside to DTLS.
_____________
Roman Shpount