Reputation: 270
WebRTC and security - intercepting connections?
I have a question about WebRTC and its security. I have been reading that WebRTC if using a STUN server is direct first by the server to get some metadata, then it is a connection between user to user. And TURN is for a connection that is relayed/proxied via the server.
What I have in question is that can WebRTC be intercepted in ANY way?
I am tryiing to implement a rfc5766-turn-server program into my server OR I can use coturn or even restund. But my main question is how do I secure it? Is there a encryption mechanism that can be used? To block for example MITM attacks?
Thank you for the help! Really new to WebRTC.
Upvotes: 0
Views: 2002
Answers (1)
Reputation: 30724
The certificate fingerprint for the WebRTC media connection is sent to each peer when the call is being established (within the Session Description Protocol payload). If the certificate used to establish the DTLS connection does not match the fingerprint then the WebRTC peer will reject it.
It would be very difficult for a man in the middle attack to work against the WebRTC media channel, i.e. by using a TURN server. The easiest way would be for the attacker to intercept the signalling exchange used to set up the WebRTC call and substitute their own certificate fingerprint and connection addresses. If you are comfortable with the security of your signalling channel then you should be comfortable that your WebRTC call media is as secure as your browser's TLS traffic.
Upvotes: 4
Related Questions
- How do I pass command line arguments to a Node.js program and receive them?
- Open a URL in a new tab (and not a new window)
- What is the difference between "let" and "var"?
- What is the difference between call and apply?
- Invalidating JSON Web Tokens
- What does "use strict" do in JavaScript, and what is the reasoning behind it?
- Secure hash and salt for PHP passwords
- What is JSONP, and why was it created?
- How should I ethically approach user password storage for later plaintext retrieval?