0

I have a question about WebRTC and its security. I have been reading that WebRTC if using a STUN server is direct first by the server to get some metadata, then it is a connection between user to user. And TURN is for a connection that is relayed/proxied via the server.

What I have in question is that can WebRTC be intercepted in ANY way?

I am tryiing to implement a rfc5766-turn-server program into my server OR I can use coturn or even restund. But my main question is how do I secure it? Is there a encryption mechanism that can be used? To block for example MITM attacks?

Thank you for the help! Really new to WebRTC.

user282190
  • 300
  • 4
  • 20
  • 1
    check out [WebRTC and Man in the Middle Attacks](https://webrtchacks.com/webrtc-and-man-in-the-middle-attacks/) – mido Mar 30 '16 at 03:35
  • @mido I'll look into it, thank you :) – user282190 Mar 30 '16 at 11:40
  • @mido in that article the author is compromising the signaling channel which is technically outside of WebRTC. In other words, a very secure WebRTC transmission... to an attacker. – jib Mar 30 '16 at 19:48

1 Answers1

4

The certificate fingerprint for the WebRTC media connection is sent to each peer when the call is being established (within the Session Description Protocol payload). If the certificate used to establish the DTLS connection does not match the fingerprint then the WebRTC peer will reject it.

It would be very difficult for a man in the middle attack to work against the WebRTC media channel, i.e. by using a TURN server. The easiest way would be for the attacker to intercept the signalling exchange used to set up the WebRTC call and substitute their own certificate fingerprint and connection addresses. If you are comfortable with the security of your signalling channel then you should be comfortable that your WebRTC call media is as secure as your browser's TLS traffic.

sipsorcery
  • 30,273
  • 24
  • 104
  • 155
  • Quick question about the TURN server, wouldn't that mean having an app proxy the traffic through your server? I was looking for something like stun, but with security... I guess it should be possible, but then I leave the users open to MITM attacks, don't I? I was sure WebRTC has built in fingerprinting even if it is a STUN server, am I correct with this? – user282190 Apr 03 '16 at 21:20
  • SRTP is mandatory with WebRTC so ALL media traffic is encrypted between the peers irrespective of whether it goes through a TURN server or not. To put it another way if I wanted to intercept your WebRTC calls I'd focus on compromising your signalling channel so I could insert my own key and certificate. Trying to brute force the encryption on the SRTP packets is going to cost a lot of money and time in compute resources. – sipsorcery Apr 03 '16 at 22:30
  • didn't know that, thank you very much! Takes off a lot of headache and worries :) – user282190 Apr 16 '16 at 18:22