Issue 200: Incoming media prior to Remote Fingerprint Verification from Bernard Aboba on 2015-05-16 (public-ortc@w3.org from May 2015)

From: Bernard Aboba <Bernard.Aboba@microsoft.com>
Date: Sat, 16 May 2015 18:24:51 +0000
To: "public-ortc@w3.org" <public-ortc@w3.org>
Message-ID: <BLUPR03MB149C757DECE22EA38857736ECC60@BLUPR03MB149.namprd03.prod.outlook.com>

At the ORTC CG meeting on May 13, Justin pointed out that passing incoming media to an RtpReceiver prior to verification of the remote fingerprint could permit a DTLS man-in-the-middle attack. So while there is the potential for incoming media in the DTLS "connecting" state, there probably should be a prohibition on passing decrypted media to an attacked RtpReceiver until the "connected" state is reached.

Received on Saturday, 16 May 2015 18:25:20 UTC