W3C home > Mailing lists > Public > public-webrtc@w3.org > December 2015

Re: Strange warning

From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 6 Dec 2015 11:40:31 -0800
Message-ID: <CABcZeBOGz18+PXiswQQhU=rq04R4bZD2wiq3Vpkw6G=5Cp+jZw@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>
I would be onboard with deleting this paragraph

On Sun, Dec 6, 2015 at 8:10 AM, Harald Alvestrand <harald@alvestrand.no>
wrote:

> Den 05. des. 2015 12:02, skrev Martin Thomson:
> > What is this supposed to mean?
> >
> > "To prevent network sniffing from allowing a fourth party to establish
> > a connection to a peer using the information sent out-of-band to the
> > other peer and thus spoofing the client, the configuration information
> > SHOULD always be transmitted using an encrypted connection."
> >
> > It's right at the bottom of a very big Section 4.3.1.
> >
> > I might guess that this relates to the ICE ufrag and pwd, but it's
> > well out of place if that is the case and very confusing either way.
> >
>
> Ufrag and password will let one establish an ICE connection.
>
> It won't permit a DTLS connection, since that requires the fingerprint
> to match.
> An active attacker can modify the fingerprint and get connected, but
> that's not what this paragraph is referring to, since it specifically
> talks about "network sniffing", not network interception - back in the
> days when we still considered permitting SDES, the warning was true as
> it stands - but we don't do that any more.
>
> I'd suggest deleting the paragraph.
>
>
>
>
Received on Sunday, 6 December 2015 19:41:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:47 UTC