- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Sun, 6 Dec 2015 17:10:34 +0100
- To: public-webrtc@w3.org
Den 05. des. 2015 12:02, skrev Martin Thomson: > What is this supposed to mean? > > "To prevent network sniffing from allowing a fourth party to establish > a connection to a peer using the information sent out-of-band to the > other peer and thus spoofing the client, the configuration information > SHOULD always be transmitted using an encrypted connection." > > It's right at the bottom of a very big Section 4.3.1. > > I might guess that this relates to the ICE ufrag and pwd, but it's > well out of place if that is the case and very confusing either way. > Ufrag and password will let one establish an ICE connection. It won't permit a DTLS connection, since that requires the fingerprint to match. An active attacker can modify the fingerprint and get connected, but that's not what this paragraph is referring to, since it specifically talks about "network sniffing", not network interception - back in the days when we still considered permitting SDES, the warning was true as it stands - but we don't do that any more. I'd suggest deleting the paragraph.
Received on Sunday, 6 December 2015 16:11:07 UTC