Am Sa., 26. März 2022 um 21:39 Uhr schrieb dxssx dxssx < dxssx.dx...@gmail.com>:
> Is this the right place to ask question? (I came across from google > results) > the discuss-webrtc mailing list is a better place (so please remove blink-dev when responding) > Just curious about the intention "The reason why SDES is deprecated is > that it is a security problem: It exposes session keys to Javascript, which > means that entities with access to the negotiation exchange, or with the > ability to subvert the Javascript, can decrypt the media sent over the > connection." > The decision to not support SDES in WebRTC dates back to an IETF decision from 2013. https://webrtchacks.com/webrtc-must-implement-dtls-srtp-but-must-not-implement-sdes/ has some details and links to the slides. > Is javascript a real concern? IIUC, the new insertable stream will allow > javascript to be able to access media and the potential usage of it for > E2EE will intentionally let javascript to handle E2EE keys. > The concern here is not javascript but exposing the key to signaling servers, passive MITM attacks and retroactive decryption. DTLS doesn't suffer from those problems, not exposing the encryption keys to Javascript is a bonus here. Thanks. > > On Thursday, August 26, 2021 at 1:45:47 AM UTC-7 Harald Alvestrand wrote: > >> Contact emailsh...@chromium.org >> >> ExplainerNone >> >> Specificationhttps://www.rfc-editor.org/rfc/rfc8826#section-4.3.1 >> >> Summary >> >> The SDES key exchange mechanism for WebRTC has been declared a MUST NOT >> in the relevant IETF standards since 2013. The SDES specification has been >> declared Historic by the IETF. Its usage in Chrome has declined >> significantly over the recent year. This intent is to deprecate and remove >> this code from Chromium and WebRTC. >> >> >> Blink componentBlink>WebRTC>Network >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebRTC%3ENetwork> >> >> Motivation >> >> The reason why SDES is deprecated is that it is a security problem: It >> exposes session keys to Javascript, which means that entities with access >> to the negotiation exchange, or with the ability to subvert the Javascript, >> can decrypt the media sent over the connection. >> >> >> Initial public proposal >> >> TAG review >> >> TAG review statusNot applicable >> >> Risks >> >> >> Interoperability and Compatibility >> >> >> >> Gecko: No signal >> >> WebKit: No signal >> >> Web developers: No signals >> >> >> Debuggability >> >> When this feature is removed, people attempting to set up such a >> connection will fail to do so. This should be easy to diagnose. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >> ?No >> >> Flag name >> >> Requires code in //chrome?False >> >> Tracking bughttps://crbug.com/webrtc/11066 >> >> Estimated milestones >> >> Link to entry on the Chrome Platform Status >> https://www.chromestatus.com/feature/5695324321480704 >> >> This intent message was generated by Chrome Platform Status >> <https://www.chromestatus.com/>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/39f67083-8391-4e0a-8f3e-549848adbc73n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/39f67083-8391-4e0a-8f3e-549848adbc73n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADxkKiLs-Lq%3DVV8ooP%2By6RYjwnkwP1cKk1Zrm6aZnSD--tcjdw%40mail.gmail.com.
