Opened 8 years ago

#9 new defect

Section 4.3.2

Reported by: bernard_aboba@… Owned by: draft-ietf-rtcweb-security@…
Priority: major Milestone: milestone1
Component: security Version: 1.0
Severity: In WG Last Call Keywords:
Cc:

Description

4.3.2. Protecting Against During-Call Attack

Protecting against attacks during a call is a more difficult
proposition. Even if the calling service cannot directly access
keying material (as recommended in the previous section), it can
simply mount a man-in-the-middle attack on the connection, telling
Alice that she is calling Bob and Bob that he is calling Alice, while
in fact the calling service is acting as a calling bridge and
capturing all the traffic. While in theory it is possible to
construct techniques which protect against this form of attack, in
practice these techniques all require far too much user intervention
to be practical, given the user interface constraints described in
[abarth-rtcweb].

[BA] I think it's more than a user intervention/user interface issue. Aside from snooping the signaling to see if the callee includes an "isfocus" tag, how can the browser know if it is calling a conference bridge or not? Personally, I'd remove the "in theory" sentence.

Change History (0)

Note: See TracTickets for help on using tickets.