W3C home > Mailing lists > Public > public-webrtc@w3.org > December 2015

Re: Strange warning

From: Harald Alvestrand <harald@alvestrand.no>
Date: Sun, 6 Dec 2015 17:10:34 +0100
To: public-webrtc@w3.org
Message-ID: <56645DFA.6000805@alvestrand.no>
Den 05. des. 2015 12:02, skrev Martin Thomson:
> What is this supposed to mean?
> 
> "To prevent network sniffing from allowing a fourth party to establish
> a connection to a peer using the information sent out-of-band to the
> other peer and thus spoofing the client, the configuration information
> SHOULD always be transmitted using an encrypted connection."
> 
> It's right at the bottom of a very big Section 4.3.1.
> 
> I might guess that this relates to the ICE ufrag and pwd, but it's
> well out of place if that is the case and very confusing either way.
> 

Ufrag and password will let one establish an ICE connection.

It won't permit a DTLS connection, since that requires the fingerprint
to match.
An active attacker can modify the fingerprint and get connected, but
that's not what this paragraph is referring to, since it specifically
talks about "network sniffing", not network interception - back in the
days when we still considered permitting SDES, the warning was true as
it stands - but we don't do that any more.

I'd suggest deleting the paragraph.
Received on Sunday, 6 December 2015 16:11:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:47 UTC