Re: Call for adoption - use case for "Trusted application, untrusted intermediary"

On 28/11/2018 0:28, Eric Rescorla wrote:
>     No we aren't because it is a completely different scenario. Even
>     if the outher keys are compromising by using it in the app, the
>     inner dtls keys are not and on worst scenario we would be on same
>     scenario as what we are today in webrtc 1.0.
> It's a different scenario but the same reasoning applies: having the 
> JS (and more importantly, some intermediate server) creates a number 
> of vectors for passive attack. And because the data is in the clear at 
> the SFU, then you have the possibility for a completely passive 
> attack. This is one of the primary reasons why we required DTLS-SRTP 
> and not SDES for basic WebRTC.

JS can clone the media stream and just send the media to a rogue server, 
no need to worry about intercepting keys.

Best regards


Received on Wednesday, 28 November 2018 09:06:08 UTC