WebRTC Security

Written by OnSIP

An overview of WebRTC security and opportunities for new applications.

VoIP Resources VoIP Fundamentals WebRTC Essentials

WebRTC offers unprecedented capabilities for streaming voice, video, and data directly within the browser. Developers can harness the power of WebRTC’s three APIs - getUserMedia, RTCPeerConnection, and RTCDataChannel - to incorporate real-time communications into their apps. But as with any technology that shares private information, WebRTC has security obligations to protect users from malicious parties. WebRTC security is enacted by standardized encryption methods that have been proven to protect users from unwanted intrusions into their protected information. WebRTC security standards offer superlative safeguards in addition to the revolutionary streaming voice and video features that define the technology.

The Foundation of WebRTC Security

There are scenarios that could potentially compromise user security and privacy when using a real-time communications (RTC) application in the browser. WebRTC has native features built in that address several of these security concerns. Malware may come packaged with plugin downloads, but users of WebRTC applications do not need to download any plugins. The underlying components that allow real time communications run in the browser’s sandbox, and are updated automatically when the browser updates. With WebRTC applications, the end user must grant explicit permission before the browser is allowed access to his/her local devices. Furthermore, when the camera and/or microphone are active, the browser will display an ‘active’ indicator, usually found in the browser tab. WebRTC security measures ensure that media is automatically encrypted.

In order for WebRTC to transmit real-time data (webcam, microphone, text), it must first encrypt this information using the Datagram Transport Layer Security (DTLS) method (defined by RFCs 6347, 5238, 6083, 5764). DTLS is a standardized protocol built into all browsers that support WebRTC. It is a protocol designed to prevent eavesdropping and information tampering. The method was modeled on Transport Layer Security (TLS), a protocol that offers full encryption with asymmetric cryptography methods, data confidentiality, and message authentication. It is consistently used in web browsers, email, and VoIP platforms to encrypt information.

This ensures that WebRTC data can be secured via any standard SSL based connection on the web. WebRTC security offers end-to-end encryption between peers with almost any server arrangement. For instance, a TURN server will only parse the UDP layer of a WebRTC packet. It cannot understand or modify the application data layer (the real-time WebRTC data). In other words, servers will not decode the sensitive information peers send to each other in order to route it.

The signaling layer can be encrypted in addition to the media. The mechanism obviously depends on the signaling layer chosen, but OnSIP uses SIP over Secure WebSockets (wss:// instead of ws://), which uses TLS to encrypt the WebSocket connection. Homegrown signaling layers could use TLS to encrypt their WebSocket or other web traffic similarly.

A signaling layer can provide an authentication and authorization mechanism to determine the identity of the user. For example, we use SIP usernames and passwords to ensure that you are who you say you are before allowing you to place a call. This could also be used to limit who can call you. Passwords aren’t the only option, either; identity frameworks like OAuth, OpenID, or Persona could be used as well.

New Opportunities With WebRTC Security

WebRTC’s powerful APIs give developers the chance to build real-time communications applications without requiring any plugins or downloads to run. The capabilities for streaming voice and video, along with the powerful encryption methods of DTLS, are all built into Chrome, Firefox, and Opera browsers from the start. The prospect of building Skype-like applications with JavaScript commands built into Chrome, Firefox, and Opera gives developers a chance to connect users like never before. At the same time, the proliferation of streaming video and voice presents new considerations in the realm of security. WebRTC security bypasses this issue by offering developers the chance for end-to-end encryption in their applications. Developers can assure their users that WebRTC security methods are capable of keeping their information safe, private, and secure.

When coupled with the power of OnSIP, WebRTC security methods offer developers a new way to build massively scalable applications that are widely connective, yet steadfastly secure. OnSIP offers a mature SIP signaling architecture built atop a business VoIP platform that services 30,000 small and medium sized businesses. Its overarching design of geographically distributed SIP proxies allow developers to connect peers behind NATs and firewalls, bridge compatibility gaps between endpoints, and scale an application, all while allowing WebRTC security standards to function and protect user data every step of the way.