Opened 8 years ago

#6 new defect

Section 4.2.2

Reported by: bernard_aboba@… Owned by: draft-ietf-rtcweb-security@…
Priority: major Milestone: milestone1
Component: security Version: 1.0
Severity: In WG Last Call Keywords:
Cc:

Description

[Note: current thinking in the RTCWEB WG is not to support TCP and to support SCTP over DTLS, thus removing the need for masking.]

[BA] This section seems somewhat "overtaken by events" given that the data channel will run over DTLS. How about the following?

4.2.2. Masking

Once consent is verified, there still is some concern about
misinterpretation attacks as described by Huang et al.[huang-w2sp].
Where TCP is used the risk is substantial due to the potential
presence of transparent proxies and therefore if TCP is to be used,
then WebSockets? style masking MUST be employed.

Since DTLS (with the anti-chosen plaintext mechanisms required by
TLS 1.1) does not allow the attacker to generate predictable
ciphertext, there is no need for masking of protocols running over
DTLS (e.g. SCTP over DTLS, UDP over DTLS, etc.).

Change History (0)

Note: See TracTickets for help on using tickets.