[liberationtech] Encrypted Pastebins: Attack Vectors against ezcrypt.it and 0bin.net
ShootAKite at riseup.net
ShootAKite at riseup.net
Tue Jan 21 19:56:29 PST 2014
Hi Lucas, I tried to set up a secure WebRTC server about one month ago
using Kamailio with the Mediaproxy-ng to bridge text, audio, and video
with appropriate ciphers which provided random public keys per session.
The main security problem I found was with WebRTC's reliance on PKI to
secure the media stream and SIP signaling. The second problem is WebRTC
clients do not authenticate users (all authentication responsibility was
delegated to my server) I think the fix for both of these problems
would be to add ZRTP support to Chrome and/or Firefox and secure the
media stream without PKI.
A
https://github.com/wernerd/ZRTPCPP
and can intercept audio from the WebRTC client (chrome or firefox) and
the SIP Server.
On 01/21/2014 08:01 PM, Lucas Dixon wrote:
> On Sun, Jan 19, 2014 at 7:23 AM, carlo von lynX
> <lynX at time.to.get.psyced.org <mailto:lynX at time.to.get.psyced.org>> wrote:
>
>
> > The highest level of "this feature" would be if this "Mock JS"
> could have
> > full WebRTC functionality ;)
>
> Dunno, WebRTC is so prone to MITM.
> I'd rather have something secure.
>
>
> What kind of MITM attack are you thinking of? WebRTC doesn't specify a
> key authentication protocol, so not sure WebRTC is anything specific
> enough to say it not secure. WebRTC is compatible with ZRTP
> key-authentication which builds in a video-based auth scheme and
> should stop MITM attacks (last time I checked). You could also use
> some other form of key-auth with WebRTC, e.g. swap key-hashes in person.
>
> --
> Lucas Dixon | Google Ideas
>
>
More information about the liberationtech
mailing list