WebRTC offers unprecedented capabilities for streaming voice, video, and data directly within the browser. Developers can harness the power of WebRTC’s three APIs - getUserMedia, RTCPeerConnection, and RTCDataChannel - to incorporate real-time communications into their apps. But as with any technology that shares private information, WebRTC has security obligations to protect users from malicious parties. WebRTC security is enacted by standardized encryption methods that have been proven to protect users from unwanted intrusions into their protected information. WebRTC security standards offer superlative safeguards in addition to the revolutionary streaming voice and video features that define the technology.
The Foundation of WebRTC Security
There are scenarios that could potentially compromise user security and privacy when using a real-time communications (RTC) application in the browser. WebRTC has native features built in that address several of these security concerns. Malware may come packaged with plugin downloads, but users of WebRTC applications do not need to download any plugins. The underlying components that allow real time communications run in the browser’s sandbox, and are updated automatically when the browser updates. With WebRTC applications, the end user must grant explicit permission before the browser is allowed access to his/her local devices. Furthermore, when the camera and/or microphone are active, the browser will display an ‘active’ indicator, usually found in the browser tab. WebRTC security measures ensure that media is automatically encrypted.
In order for WebRTC to transmit real-time data (webcam, microphone, text), it must first encrypt this information using the Datagram Transport Layer Security (DTLS) method (defined by RFCs 6347, 5238, 6083, 5764). DTLS is a standardized protocol built into all browsers that support WebRTC. It is a protocol designed to prevent eavesdropping and information tampering. The method was modeled on Transport Layer Security (TLS), a protocol that offers full encryption with asymmetric cryptography methods, data confidentiality, and message authentication. It is consistently used in web browsers, email, and VoIP platforms to encrypt information.
This ensures that WebRTC data can be secured via any standard SSL based connection on the web. WebRTC security offers end-to-end encryption between peers with almost any server arrangement. For instance, a TURN server will only parse the UDP layer of a WebRTC packet. It cannot understand or modify the application data layer (the real-time WebRTC data). In other words, servers will not decode the sensitive information peers send to each other in order to route it.
The signaling layer can be encrypted in addition to the media. The mechanism obviously depends on the signaling layer chosen, but OnSIP uses SIP over Secure WebSockets (wss:// instead of ws://), which uses TLS to encrypt the WebSocket connection. Homegrown signaling layers could use TLS to encrypt their WebSocket or other web traffic similarly.
A signaling layer can provide an authentication and authorization mechanism to determine the identity of the user. For example, we use SIP usernames and passwords to ensure that you are who you say you are before allowing you to place a call. This could also be used to limit who can call you. Passwords aren’t the only option, either; identity frameworks like OAuth, OpenID, or Persona could be used as well.
New Opportunities With WebRTC Security
When coupled with the power of OnSIP, WebRTC security methods offer developers a new way to build massively scalable applications that are widely connective, yet steadfastly secure. OnSIP offers a mature SIP signaling architecture built atop a business VoIP platform that services 30,000 small and medium sized businesses. Its overarching design of geographically distributed SIP proxies allow developers to connect peers behind NATs and firewalls, bridge compatibility gaps between endpoints, and scale an application, all while allowing WebRTC security standards to function and protect user data every step of the way.