W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > June 2019

Re: [webrtc-pc] Add security note about remote SDP (#2201)

From: henbos via GitHub <sysbot+gh@w3.org>
Date: Thu, 13 Jun 2019 13:38:45 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-501706667-1560433123-sysbot+gh@w3.org>
> [BA] This material relates to security. Does it belong in the security considerations section?

This is a new subsection of Privacy and Security Considerations.

> How the signaling protocol (SDP) is exchanged is unspecified and up to
> the application.
> [BA] This sentence could be deleted.


> [BA] Suggest deleting "The users of these APIs should note that the SDP content is sensitive; ". 


> [BA] delete "amounts of"


> [BA] Not sure what the one-way media threat is here. Is this a concern about a "voice-hammer" attack?
> Suggest a clarification, such as
> "unknowngly support one-way media" -> "unintentionally allowing incoming media"

The concern is if the application expects a certain outcome. For example, if it listens to "ontrack" to update the UI to show that the call is active as part of attaching the remote track to a video tag, but "ontrack" never fires because the answer is recvonly instead of sendrecv. But I like "unintentionally allowing incoming media". I changed it to:

_An application that does not guard against malicious SDP could be at risk of resource deprivation, unintentionally allowing incoming media or not have certain events fire like <code>ontrack</code> if the other endpoint does not negotiate sending._

> [BA] "ensure the authenticity" would seem to be covered by signaling over a secure channel, no? The issue seems to be malevolent (albeit authentic) SDP. Maybe:
> "Applications need to be on guard against malevolent SDP."


GitHub Notification of comment by henbos
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/pull/2201#issuecomment-501706667 using your GitHub account
Received on Thursday, 13 June 2019 13:38:46 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 13 June 2019 13:38:47 UTC