WebRTC Security Assessment from Rigo Wenning on 2014-11-05 (public-web-security@w3.org from November 2014)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 05 Nov 2014 22:47:02 +0100
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org " <public-web-security@w3.org>, public-webappse@w3.org
Message-ID: <1570719.sjKDYjbF4j@hegel.sophia.w3.org>

Hi all, 

as promised to some of you during TPAC, the STREWS project has published 
today the WebRTC Security Case Study. It was teamwork from the entire 
project, but special thanks go to Stephen Farrell for constantly 
cleaning and improving the document. 

The Document is published on the STREWS website under "results": 

http://www.strews.eu/results/91-d12

For your convenience, here is the abstract: 

Built-in handling of Real Time Media (audio, video) on the web promises 
potentially significant change in telephony and in conference calling. 
The W3C WebRTC and IETF rtcweb working groups are developing the set of 
specifications that will allow browsers and web sites to support such 
calling and other functions. This is clearly a potentially security 
sensitive extension to the web, so STREWS has devoted effort on this 
topic as a case study to both attempt to improve the overall security of 
the result and to see if this approach holds promise as a way to improve 
interactions between researchers and standards makers and hence the 
overall security of the web. In this deliverable, we show some possibly 
new issues with WebRTC security discovered by researchers (from SAP) 
that the standards makers may not have considered. However, while this 
deliverable is, as a deliverable, final, the work itself goes on, partly 
involving discussions between the STREWS project and participants in the 
IETF and W3C so in technical terms this remains a work-in-progress.

-- 
Rigo Wenning (@rigow) - W3C Legal counsel

Received on Wednesday, 5 November 2014 21:47:31 UTC