Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TURN Server should require same MessageIntegrity used for creation+access of allocation #120

Open
Sean-Der opened this issue Jan 22, 2020 · 0 comments
Open

TURN Server should require same MessageIntegrity used for creation+access of allocation #120

Sean-Der opened this issue Jan 22, 2020 · 0 comments

Comments

@Sean-Der
Copy link
Member

We should store the MessageIntegrity used to create the allocation, and then assert that it hasn't changed across requests

  All requests after the initial Allocate must use the same username as
   that used to create the allocation, to prevent attackers from
   hijacking the client's allocation.  Specifically, if the server
   requires the use of the long-term credential mechanism, and if a non-
   Allocate request passes authentication under this mechanism, and if
   the 5-tuple identifies an existing allocation, but the request does
   not use the same username as used to create the allocation, then the
   request MUST be rejected with a 441 (Wrong Credentials) error.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Sean-Der