[liberationtech] RTCWEB and secure multimedia communication on the web.

Fri Mar 23 11:07:10 PDT 2012

The IETF is currently considering new standards for realtime
communications on the Internet focused on browser to browser
communication. This is partially a collaboration with the W3C with the
W3C addressing the application level components and IETF addressing
the low level protocols. With rtcweb people will be able write browser
based versions of applications like Skype.

We can expect in the following decade that a substantial portion of
future person to person speech and video communications will be
carried over these protocols.

There are pluses and minuses of browser based applications, especially
for security. But no matter how the application is provided, if the
traffic on the wire isn't encrypted and authenticated all the time it
will constantly be subject to large scale surreptitious surveillance.
No matter how much I care about security, if the people I talk to
don't have capable software I won't benefit from it, so making it a
default is the only way to make sure it's used where its needed—
browser based endpoints won't be the only ones out there, but their
popularity will make compatiblity with them and their protocols a
requirement for everything.

Rtcweb provides a new opportunity of undoing the some of the flawed
architecture of the Internet where traffic isn't secure by default,
but it also provides a risk of further entrenching the old and bad way
of doing things.

Fortunately, because browser requirements are driving here there are
some special security considerations:  If browser vendors provide a
generic API that lets web applications generate UDP traffic every
browser will be used as a DDOS drone.  There must be some way to
handshake to make sure both parties desire the communications.  It
looks like this will be provided by ICE.    And this means that RTCweb
devices/software will be media level incompatible with legacy VoIP
devices— so legacy compatibility is not an effective argument for
failing to make crypto mandatory.

As a result rtcweb has come quite close to making crypto mandatory.
But some people are opposing it— some because it will be a bigger
burden on gateways and I expect some precisely because they represent
interests that want to engage in (unlawful/unethical) wholesale
surveillance.

The IETF runs an open collaborative decision making process. You don't
have to pay a membership fee or attend a meeting to have your voice be
heard— thoughtful ideas, and actual technical contributions are always
welcome.

I think it would be very helpful if more people with experience in the
importance of secure communications for human rights caught up one
some of the background here and stepped up to support making rtcweb
secure. People need to hear that this isn't just a minor technical
squabble: Insecure communications inhibit free thought and free
expression and cost the lives of people standing up for these rights.

The head of the most recent discussion is at:
http://www.ietf.org/mail-archive/web/rtcweb/current/msg03526.html