- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Sun, 28 Jan 2018 18:05:20 +0100
- To: public-webrtc@w3.org
Den 26. jan. 2018 19:29, skrev Cullen Jennings (fluffy): > > >> On Jan 25, 2018, at 5:45 AM, Emil Ivov <emcho@jitsi.org >> <mailto:emcho@jitsi.org>> wrote: >> >> >> A way to set e2e encryption keys (for something like SRTP double) >> would be great! >> >> Obviously doing that from the regular API wouldn’t make much sense, >> but giving that option to browser extensions would be nice! >> > > Let me generalize this a bit … I think the WG thinking about what APIs > it might have for browser extensions as well as what API for JavaScript > would be a good thing. This keying is one, codecs is another, and > handling the policy around what IP addresses get disclosed is another. > > Remember that exposing the session keys to Javascript means that anyone who can get to your Javascript context can decrypt your communications, and that anyone who's able to get or set your public/private keypair can impersonate you in a man-in-the-middle attack. Of course anyone who can get at your raw communication can get at your communication anyway, so this might not seem like a big deal. But think through the security model before you ask to set keys.
Received on Sunday, 28 January 2018 17:06:39 UTC