Re: Ban ICE-LITE? Re: webRTC and Content Security Policy connect-src from Harald Alvestrand on 2018-01-12 (public-webrtc@w3.org from January 2018)

From: Harald Alvestrand <harald@alvestrand.no>
Date: Fri, 12 Jan 2018 14:35:27 +0100
To: Iñaki Baz Castillo <ibc@aliax.net>
Cc: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, T H Panton <thp@westhawk.co.uk>, "public-webrtc@w3.org" <public-webrtc@w3.org>, Cullen Jennings <fluffy@iii.ca>
Message-ID: <81f8f628-22bd-2d35-c19e-36f9fff77bcf@alvestrand.no>

On 01/12/2018 02:20 PM, Iñaki Baz Castillo wrote:
> On 12 January 2018 at 14:19, Harald Alvestrand <harald@alvestrand.no> wrote:
>> To me, it sounds like we should ban ICE-LITE altogether.
>>
>> We've got a lot of security story resting on the idea that the ICE
>> request/response requires both ends to have seen the SDP.
>> If that isn't true for ICE-LITE, then ICE-LITE is not safe for WebRTC.
> That's right. However, did you read my proposal to fix that within
> ICE/STUN itself?
>
The one using a reflected "ufrag"?

A modified ICE isn't compatible with the deployed base, so that is
completely consistent with banning ICE-LITE (current version) outright.

Received on Friday, 12 January 2018 13:36:15 UTC