A lot of applications around video conferencing and online meetings are popping up these days, especially after the covid-19 pandemic started earlier this year. WebRTC is a technology enabling just that. This article will focus on security aspects of applications built on the WebRTC platform. Let's dive right in.
WebRTC is a free, open-source project, supported by top industry leaders like Apple, Google, Microsoft, Mozilla and Opera. It’s standardization is controlled by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF). Almost all major browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Safari support WebRTC as of today.
The main idea behind WebRTC is to allow peer-to-peer communication between meeting participants, without the need to send media streams to any proprietary server. This is achieved by two principles, peer discovery using STUN, Session Traversal Utilities for NAT, servers and transmitting data on UDP instead of TCP connections. Of Course there are situations when a direct connection between two peers can not be established, for those cases a TURN, Traversal Using Relays around NAT, servers or simply Relay servers are used.
There are four major components of any WebRTC Application
Now since we’re talking about security in this article, I will focus on that. Security is built into every layer or component of WebRTC and is enforced by all entities implementing WebRTC Specification.
Generally applications use a WebSocket connection for signaling and any other data exchanges between peers. A secure WebSocket connection (wss) is an encrypted version of a regular WebSocket connection (ws) just like https is the secure version http. Security in the Signaling component of a WebRTC application depends upon using wss instead of ws protocol. wss will make sure that all signaling is private.
WebRTC, by default, uses SRTP, Secure Real time Transport Protocol, for encrypting Video and Audio streams, and DTLS, Datagram Transport Layer Security, for negotiation of keys. This is a minimum requirement for browsers to implement in order to be compliant. In fact WebRTC explicitly prohibits the use of unencrypted Video and Audio streams.
DTLS provides authentication, protection against message tampering, forward secrecy, replay attacks and a lot more features than just encryption.
On an average about 10-15% of all connections have to use TURN servers to relay Video and Audio streams, especially if the application is used world wide. Since TURN servers handle the streams before relaying to the other peer, the application is as secure as the TURN servers are. Application owners either deploy their own TURN servers or use IaaS / SaaS TURN server providers like Xirsys. While security in the former case is usually questionable as there is usually no regulation around custom TURN servers, but most commercial TURN server providers implement all required security protocols as they cater to various clients with different levels of security requirements across the globe.
Features like meeting records, chat archival, meetings not protected with passwords, etc. pose a lot of additional questions about security of the stored content.
So what does it mean, are WebRTC applications, Virtual Meetings, Web Conferencing applications are completely 100% secure? Certainly not. In fact nothing out there is 100% secure. All applications in this genre are breakable and susceptible to hacking attacks. Zoom had to deal with a lot of security issues recently and is still dealing(Article here). Microsoft Skype and Teams are not aloof from this concern as well (Article here).
The point is no application can be one hundred percent secure. Skype, Teams, Zoom are well known, but proprietary solutions. They do implement security measures but no one knows what is happening with your data, whether it is outsourced for analytics, machine learning etc. .
Whereas WebRTC is open sourced, managed by W3C, IETF, implemented by the best brains in industry like Google, Apple, Microsoft. Security is inbuilt into the framework and can be audited openly by anyone around the world.
And the best part is that security fixes are applied automatically into the application as and when fixes are implemented by the browsers, so users can be assured that the application is up to date with fixes for all the latest uncovered security issues world wide.
For more information, read the full WebRTC specification here:- https://www.w3.org/TR/webrtc/
meriMeet is built one hundred percent organically on the WebRTC platform. Security is built into each component. Below are some of the security features in this platform.
It's free. Feel free to create a meeting and enjoy the immersive in-room experience.
Start here :- Create a Free Meeting