Other servers, particularly media servers like Selective Forwarding Units (SFUs) that enable multi-party video conference calls or live streaming servers, introduce more difficult risks. While other servers like STUN and TURN are sometimes needed, these never gain access to unencrypted media, and thus don’t present much of a risk. Wowza, for example, has APIs that control WebRTC stream access and duration. WebRTC service providers can prevent this by giving their users authentication mechanisms that restrict entry to authorized users and leverage moderation controls to quickly remove and block bad actors. “Zoom bombing” refers to obtaining video conferencing meeting information in order to join a meeting unauthorized, usually for disruptive purposes. Fortunately, browser and app store safeguards minimize bad providers – but bad users are another problem. Users should be wary of who they are connecting to. WebRTC signaling servers are essentially web application servers and need to be secured like any application. Very significant - media server devices typically decrypt and encrypt media and are potential vulnerability points SFU, MCU, and live streaming servers that forward, mixes, and or save media from clients Minimal – some privacy / usage tracking implications but media is never decrypted Relays client media when a direct connection between peers cannot be established due to firewall or NAT traversal issues Minimal - some privacy / usage tracking implications Response with a client’s public IP address Significant - user credential information needs to be guarded privacy and usage tracking implications (like any internet service) The table below summarizes common WebRTC server types and their high-level security implications.Īuthenticates users, sets up and relays signaling information between clients It is subject to rigorous privacy and security controls when run inside a browser environment, but what about services that don’t use the browser? While WebRTC is primarily designed for browser-to-browser communication, it frequently uses a wide range of infrastructure devices that can complicate its security. WebRTC mandates encryption at the protocol level. WebRTC Security Vulnerabilities and Considerations As we’ll explore in the next section, this introduces some additional security concerns. Many people end up using this so-called serverless technology with a range of servers to facilitate communication and scalability. However, this is not typically a scalable solution. Technically, these and the browser upon which you are accessing the WebRTC application are all you need for a successful stream. It’s responsible for transferring text and other alternative types of data across the connection established by RTCPeerConnection. This API handles non audio/visual forms of data. It’s also responsible for encoding the media and sending it across the established connection using the UDP.įinally, there’s the RTCDataChannel API. RTCPeerConnection is a WebRTC specific API that uses the session description protocol (SDP) to establish a connection between peers. WebRTC happily utilizes it as part of its underlying technology. Once upon a time, this was accomplished using third party plugins like Flash, but HTML5 changed the game with the introduction of this API. It gets the user’s media from their webcam and microphone. The getUserMedia API does pretty much exactly what it sounds like. It’s a collection of technologies, including three JavaScript APIs which work together to establish and maintain connections between peers and transport media across those connections. People will frequently refer to the “WebRTC protocol”, but as we mentioned above, WebRTC is not strictly a protocol. This connections protocol stands in contrast to its counterpart, Transmission Control Protocol (TCP), in that it prioritizes speed over reliability.This combined with the open-source nature of WebRTC tends to reinforce the misconception that WebRTC is a vulnerable technology, but this couldn’t be further from the truth.īefore we dig into WebRTC security vulnerabilities and how it addresses them, let’s explore how WebRTC creates and maintains connections for the transport of media. Among these is the User Datagram Protocol (UDP). It is a collection of streaming technologies, including protocols, standards, and three JavaScript APIs. WebRTC Security Vulnerabilities and Considerations.
0 kommentar(er)
