> > Dunno, WebRTC is so prone to MITM. > > I'd rather have something secure.
On Tue, Jan 21, 2014 at 09:01:49PM -0500, Lucas Dixon wrote: > What kind of MITM attack are you thinking of? WebRTC doesn't specify a key > authentication protocol, so not sure WebRTC is anything specific enough to The architecture provides no way to do key authentication and then the protocol doesn't specify any.. it's the leave-out-the-blanks strategy for corps to fill out. Well I think I know how the leading corps such as Google and Facebook will do it, and it will not be end-to-end secure. > say it not secure. WebRTC is compatible with ZRTP key-authentication which > builds in a video-based auth scheme and should stop MITM attacks (last time You can't diffie-hellman yourself out of a MITM. If the fundamental link is unsafe, you can make all the ephemeral keys you like - the observer can trace them all. > I checked). You could also use some other form of key-auth with WebRTC, > e.g. swap key-hashes in person. 99.9% of WebRTC users will be clicking on the "call" button in Faceboogle and not even be offered the option of having actual end-to-end secrecy. How could that work? The web browser isn't designed for that. So I expect WebRTC to become the next major problem for the liberation business as it removes one more reason for people to install actual free software - just now that free software Skype alternatives are surfacing. All this optimism about WebRTC will even help it being established as something apparently better than Skype. Actually, Skype operates end-to- end, too - unless it is being deviated. So WebRTC will deliver just the same... unless you run your own immaculate untampered server.. but then you are some excentric at the edge of the universe who even knows how to set one up that employs no cheap VM, resides in your home in a reasonable country and goes by the name of something.onion. Hey, even if the entire liberation community was using some cool.onion WebRTC offering, it would just be the next great honeypot and I don't know if there are places on earth left to host big pots of honey. And then, worst of all aspects, consider that 99.9% of folks have downloaded their WebRTC implementation in form of a non-reproducible binary. Some implementations' source code can't even be audited. All in all I see plenty of opportunity for a complete surveillance of WebRTC users. What do you see? -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
