- From: westhawk <thp@westhawk.co.uk>
- Date: Fri, 17 Mar 2017 08:51:14 +0000
- To: Cullen Jennings <fluffy@iii.ca>
- Cc: Dominique Hazaƫl-Massieux <dom@w3.org>, "public-webrtc@w3.org" <public-webrtc@w3.org>
Received on Friday, 17 March 2017 08:51:49 UTC
> On 17 Mar 2017, at 02:35, Cullen Jennings <fluffy@iii.ca> wrote: > > > The security of WebRTC is very weak without this, That is an overstatement of the situation in my view. There are several services that address the MiTM risks by adding their own identity validation mechanisms which in turn verify the DTLS fingerprint. One example is wire.com : https://medium.com/wire-news/the-road-to-a-more-private-and-secure-calling-protocol-a8f22d23f112 <https://medium.com/wire-news/the-road-to-a-more-private-and-secure-calling-protocol-a8f22d23f112> Or Matrix.org <http://matrix.org/> Or https://tools.ietf.org/html/draft-johnston-rtcweb-zrtp-02 <https://tools.ietf.org/html/draft-johnston-rtcweb-zrtp-02> All of these use cryptography in Javascript to validate the identity of a webRTC caller and detect MiTM. The limitation is that to work both parties need to be loading the same javascript, probably from the same site. What the identity provider draft brings is a standard mechanism - implemented inside the browser - which would allow the decoupling of the identity from the calling site - it also allows calls between 2 different web properties to be verified. This additional feature is a very-nice-to-have -but not essential - certainly not enough to justify delaying the rest of the standardisation process while we wait for it. Tim.
Received on Friday, 17 March 2017 08:51:49 UTC