- From: Aymeric Vitte <vitteaymeric@gmail.com>
- Date: Wed, 2 Dec 2015 14:05:41 +0100
- To: Florian Bösch <pyalot@gmail.com>
- Cc: Brad Hill <hillbrad@gmail.com>, Richard Barnes <rbarnes@mozilla.com>, "Web Applications Working Group WG (public-webapps@w3.org)" <public-webapps@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Le 02/12/2015 13:18, Florian Bösch a écrit : > On Wed, Dec 2, 2015 at 12:50 PM, Aymeric Vitte <vitteaymeric@gmail.com > <mailto:vitteaymeric@gmail.com>> wrote: > > Then you should follow your rules and apply this policy to WebRTC, ie > allow WebRTC to work only with http. > > > Just as a sidenote, WebRTC also does UDP and there's no TLS over UDP. > Also WebRTC does P2P, and there's no certificates/authorities there (you > could encrypt, but I don't think it does even when using TCP/IP (which > it doesn't in case of streaming video over UDP). See https://github.com/Ayms/node-Tor#security, WebRTC uses DTLS with self-signed certifcates + a third party mechanism supposed to secure the connection. As a matter of fact this is almost exactly the same mechanism used by the Tor network, where the CERTS cells use the long term ID key of a Tor node to make sure that you are discussing with that one. This does not prevent of course from discussing with a malicious node not identified as such with valid long term ID keys, which is not a problem for Tor (but is a problem for WebRTC), as long as it behaves as expected, and if it does not, this will be detected. The above mechanism is specific to the Tor network, for other uses of the Tor protocol an alternative is explained here: https://github.com/Ayms/node-Tor#pieces-and-sliding-window for WebRTC And again, adding a TLS layer on top of all this is of complete no use. -- Get the torrent dynamic blocklist: http://peersm.com/getblocklist Check the 10 M passwords list: http://peersm.com/findmyass Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org Peersm : http://www.peersm.com torrent-live: https://github.com/Ayms/torrent-live node-Tor : https://www.github.com/Ayms/node-Tor GitHub : https://www.github.com/Ayms
Received on Wednesday, 2 December 2015 13:06:11 UTC