W3C home > Mailing lists > Public > public-webrtc@w3.org > May 2014

Re: Dealing with isolation state mismatches

From: Harald Alvestrand <harald@alvestrand.no>
Date: Fri, 16 May 2014 09:17:28 +0200
Message-ID: <5375BB88.3000104@alvestrand.no>
To: Martin Thomson <martin.thomson@gmail.com>
CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 05/15/2014 04:03 PM, Martin Thomson wrote:
> This response bothers me a lot.  Because it seems like the adversarial
> model we have had since before I was even involved isn't well enough
> understood.

Yep.

Or - the way I describe it - the model that is in your mind isn't 
explicit enough in the documents for me to be sure it's the same model 
as is in my mind.

>
> The model says that user A and user B may or may not trust each other.
>   But they probably trust each other with the media that they choose to
> send.  If they don't trust each other that far, then they probably
> shouldn't be placing calls to each other.
>
> The term user agent is carefully chosen, and totally necessary in
> this.  Users don't know how to flip bits, so they have some software
> do it for them.  That's a browser, and the model suggests that users
> trust their own browsers.  This model also suggests that users that
> trust other users with their media, trust that the other user is using
> a browser that follows the rules too.  So we can basically conflate
> user and browser.
>
> (I think that so far, we're aligned...)
>
> Where the disconnect comes is with parties 5 and 6, or X and Y: the
> origins running javascript in either browser.  In the default case, we
> sort of trust these guys and give them our media.  But the whole point
> of the confidential call case is that we don't.  That's on both sides.
>
> In many cases (and likely all in the near term), X == Y.

For a majority of the point to point cases, I think X == Y is likely.
For all the MCU cases, and for all the gatewaying cases, X =/= Y (Y 
isn't even a browser).

>    That means
> that if you have isolation from X, you had better have isolation from
> Y.  Otherwise you get trivial workarounds.  For example, X has been
> given isolated media.  It creates two RTCPeerConnection instances and
> sends the media to itself, trivially circumventing the isolation.

Nit: It can only do that if it can identify itself as B, which turns 
this into the same kind of threat as any man-in-the-middle attack. But 
yes; if X can choose or spoof the identity, workarounds are trivial.

>
> For this reason, we need a strong signal that media should be
> isolated.  (That's the IETF's business, but I've proposed an ALPN
> mechanism, after feedback from TLS folks that this was probably more
> appropriate than an extension.)  This signal allows a browser to make
> this call.
>
> Now, you claim that a user should be able to do what they want with
> media.  YES.  Definitely.  But that needs to be between the browser
> and the user, not that application running in the browser.

Actually I don't think we're disagreeing that much.

What I gather from this conversation is that isolation of streams makes 
sense for the point to point case (and, most especially, the X == Y 
case). In that use case, signalling of isolation makes sense.

In other cases, it is harder to see how it is useful; it might or might not.

If we document that this is the intended use case for the functionality, 
I'm happy.

>
> On 15 May 2014 02:00, Harald Alvestrand <harald@alvestrand.no> wrote:
>> On 05/15/2014 07:21 AM, Martin Thomson wrote:
>>> This is probably best handled in a room, but here goes.
>>>
>>> A has isolated streams because it thinks it's making a "private" call.
>>>    (Scare quotes intentional.)
>>>
>>> B has regular streams.
>>>
>>> A and B try to establish a call.  Nothing in the signaling they are
>>> using (SDP, woo!) indicates that they are screwed.  The browser runs
>>> the O/A exchange and it seems OK, until the DTLS session blows up.
>>>
>>> Do we want a signal in SDP for this state?  I think that it would be
>>> nice.  We can put a wee attributey thing on the a=identity line.
>>>
>>> Sorry, scratch that, we can request that the RTCWEB working group
>>> consider this as a new requirement on their signaling work.
>>>
>> I'm not sure I quite get the "isolated" property's properties here.
>>
>> When it was initially proposed, I thought it was intended for:
>>
>> A runs a Javascript app X
>> A wants his media to end up only with B, not anyone else X wants to send it
>> to
>> X marks the streams as "isolated", A checks that this is true (oops, UI
>> needed), and is happy
>> X sends the streams to B.
>> B does what B does - records them, mixes them, relays them - whatever. This
>> is OK, because A trusts B with his streams.
>>
>> If we have the "isolation" property be signalled, and honored across the
>> network, it means that there's a trust relationship (or rather, lack of
>> trust) between A and the Javascript running in B's browser - let's call that
>> Y.
>>
>> So the requirement becomes that A wants assurance from Y that it's not
>> peeking at the streams. This also prevents Y from offering functions to B
>> for enhancing, processing, recording or relaying the streams in ways
>> incompatible with isolation - there's a cost to everything.
>>
>> I can't manage to make the logical leap that this is the right thing for all
>> cases.
>>
>> The necessary trust relationship to Y is between B and Y.
>> A negotiation of isolation can only say "Y promises that these streams are
>> isolated, and B can verify that using his browser's UI".
>>
>> So I get at least 3 cases falling out of this:
>>
>> - A doesn't care. No isolation needed.
>>
>> - A doesn't trust X, but trusts B and trusts that B takes care with his
>> streams.
>>    X has to show evidence of isolation. A doesn't care what Y does; he trusts
>> B to verify that,
>>    if needed.
>>
>> - A doesn't trust X, has reasons to distrust Y, but trusts B to verify that
>> Y does the right thing.
>>    X has to show evidence of isolation. Y has to show evidence to X that B
>> should be able to
>>    verify that the streams are isolated.
>>
>> Negotiation is only needed for the third case.
>>
>> If isolation is of value in the second case, it seems that there should be a
>> configuration option in the PC that says "Isolate incoming streams". In
>> general, all means of producing streams should probably offer the option to
>> indicate "these should be isolated" - strictly as a local matter.
>>
>> Is the third case important enough that we really need this in the protocol?
>>
>>
>>
>>
>>
Received on Friday, 16 May 2014 07:17:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:40 UTC