[liberationtech] From Snowden's email provider. NSL??? (Recipe for Secure Audio, Video, Chat, File Transfer)
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Fri Aug 9 06:42:49 PDT 2013
Il 8/9/13 3:29 PM, Joseph Lorenzo Hall ha scritto:
> On Fri Aug 9 06:55:12 2013, Fabio Pietrosanti (naif) wrote:
>> This is because with OpenFire + Chrome you can also do end-to-end
>> encrypted WebRTC Audio/Video call.
> Firefox nightlies, as far as I'm aware, also provide WebRTC capability
> these days (based on DTLS-SRTP... they voted down at last week's IETF
> 87 WebRTC/RTCweb support for SDES (which channels keying material
> through the signaling server. bad!).)
To be true, i invested 4 weeks of trolling on IETF WebRTC mailing list
sustaining the need to support "also SDES" in order to provide
interoperability with existing VoIP world from day 1.
The relevant point still was to still have DTLS-SRTP (that's still
inside) in place but to ADD a a modular / end-user-verifidable
(appropriate JS API) security fingerprint / security model.
When i unsubscribed from the DTLS-SRTP mailing, the WebRTC standard was
WITH "end-to-end" encryption but WITHOUT end-to-end-authentication
(relying on the server to provide authentication means for user
fingerprint, de-facto allowing MITM).
Which is the current status for fingerprint verification of DTLS-SRTP
calls? Does it still rely on server?
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org
More information about the liberationtech
mailing list