W3C home > Mailing lists > Public > public-webrtc@w3.org > January 2018

Re: What would you like to see in WebRTC next? A low-level API?

From: Cullen Jennings <fluffy@iii.ca>
Date: Mon, 29 Jan 2018 08:57:12 -0700
Cc: public-webrtc@w3.org
Message-Id: <1265C622-9145-4720-9F7A-A066472607DF@iii.ca>
To: Harald Alvestrand <harald@alvestrand.no>

> On Jan 28, 2018, at 10:05 AM, Harald Alvestrand <harald@alvestrand.no> wrote:
> Den 26. jan. 2018 19:29, skrev Cullen Jennings (fluffy):
>>> On Jan 25, 2018, at 5:45 AM, Emil Ivov <emcho@jitsi.org
>>> <mailto:emcho@jitsi.org>> wrote:
>>> A way to set e2e encryption keys (for something like SRTP double)
>>> would be great!
>>> Obviously doing that from the regular API wouldn’t make much sense,
>>> but giving that option to browser extensions would be nice!
>> Let me generalize this a bit … I think the WG thinking about what APIs
>> it might have for browser extensions as well as what API for JavaScript
>> would be a good thing. This keying is one, codecs is another, and
>> handling the policy around what IP addresses get disclosed is another. 
> Remember that exposing the session keys to Javascript means that anyone
> who can get to your Javascript context can decrypt your communications,
> and that anyone who's able to get or set your public/private keypair can
> impersonate you in a man-in-the-middle attack.
> Of course anyone who can get at your raw communication can get at your
> communication anyway, so this might not seem like a big deal. But think
> through the security model before you ask to set keys.

The way I would add codecs would be more like … 

1. The JS tells the browser where to download a websambly codec 

2. The codec implements a well defined API that has things like encode, decode, set target bitrate, pass in configuration parameters etc.

3. The browser runs the codec in a context where it has no access to anything that would allow it to exfiltrate the raw data or do other bad things but the browser can call the API to encode and decode stuff

4. The JS would be able to set parameters on the codec that the browser would pass in. Note this is data only goes in, does not come out of codec. 

5. The browser would generate stats / metrics about the the performance of the codec that the JS could ready. Note the codec can not create it’s own stats. Yes, you can argue we might be able to exfiltrate data at a super low bitrate this way by doing things like changing the output bitrate of the codec based on information it wanted to exfiltrate but this could be done in a pretty safe was and presumable people that cared would not run codecs from questionable services.

Ignoring the topic of if you think we should work on something like this, let me first ask do you think it might be possible to do something along those lines that could allow plugin codecs while at the same time limited risk of revealing media to the JS. 
Received on Monday, 29 January 2018 15:58:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 January 2018 15:58:07 UTC