From secure real-time protocol (SRTP) to secure signaling, learn how WebRTC encryption provides added security.
By Brian Segal
The open source nature of WebRTC is a common reason for concern about security and WebRTC leaks. However, end-to-end WebRTC encryption is totally possible. In fact, there are multiple layers of WebRTC security.
But WebRTC encryption is mandatory because real-time communication requires that WebRTC connections are established a bit differently than internet communication connections.
→ Telnyx WebRTC allows you to communicate on a private, global network. Find out more by talking to our team.
The most well-documented WebRTC vulnerabilities are sometimes also called “WebRTC leaks.” WebRTC vulnerabilities aren’t a result of anything being broken in the software. They’re simply a product of the way WebRTC establishes connections.
Usually, when your computer or phone sends and receives data through an internet connection, all that data goes through a single connection, which can be secured by your VPN and other security software.
However, when your computer establishes a connection using WebRTC, it creates a proprietary, peer to peer pathway. When this peer to peer connection is created, both devices agree to bypass certain security measures like firewalls and network access translation (NAT) devices to get the most direct connection path possible. This can bypass your standard security measures, which creates a potentially unsecured connection.
The problem of WebRTC vulnerabilities is a tricky one to solve, since this direct peer to peer connection is necessary for high performance real-time communication. There are ways to secure your browser to prevent VPN leaks when using browser-based WebRTC apps.
However, WebRTC leaks are actually a separate issue from WebRTC encryption. WebRTC leaks allow other computers to see your true IP address, device information, and other data that is usually hidden by your web browser.
WebRTC encryption is a matter of protecting the data that you send through WebRTC based connections, regardless of whether or not that connection is established through your browser. This is important because not all WebRTC apps are browser-based. And real-time communication requires a two-way data stream.
So you need encryption that protects information from end-to-end. A security system that protects you from incoming attacks won’t be enough to keep data safe as it travels to another device.
In short, yes, WebRTC is secure. Secure Real Time Protocol (SRTP) encryption and other security standards are mandated for all WebRTC sessions. And creating unencrypted WebRTC connections is forbidden by the Internet Engineering Task Force (IETF) standards.
The long answer is that WebRTC is secure for end users, but more complicated for developers. Even if a WebRTC connection bypasses the end user’s VPN, firewall, or NAT, the data is still encrypted by the WebRTC protocol layer encryption.
For developers, this means that WebRTC can be secured. But it adds a compliance consideration, since even unintentionally creating unencrypted WebRTC sessions is a violation of the IETF standards.
WebRTC security consists of three mandatory WebRTC encryption specifications: Secure Real Time Protocol (SRTP), secure encryption key exchange, and secure signaling. These protocols encrypt the data sent through WebRTC, protect the encryption keys, and secure the web server connection. All of these encryption specifications are required for every WebRTC session.
Together, these three specifications form the protocol layer security for WebRTC communication.
SRTP encrypts any data sent through the real time communication channel. This protects WebRTC sessions from man-in-the-middle attacks. The secure encryption key exchange protocol is DTLS-SRTP, which requires the encryption keys to be transmitted directly from peer to peer on the media plane. Other encryption key exchange protocols are explicitly forbidden in WebRTC communications because other exchange protocols are not secure enough.
WebRTC encryption is designed to protect WebRTC sessions, even when the connection bypasses other security protocols.
As we’ve already mentioned, WebRTC encryption is a big deal because WebRTC sessions often can’t be secured by your standard security system. So WebRTC connections must be encrypted independent of other security measures.
WebRTC encryption is also a matter of meeting WebRTC communication standards. The IETF understands the unique security challenges posed by WebRTC. That’s why the three protocol layer security specifications are mandatory.
So WebRTC encryption is necessary from both a security and compliance standpoint. However, the protocol layer encryption isn’t the only part of WebRTC security.
There are potentially three layers of security in WebRTC. WebRTC developers have control over the protocol layer security, since that’s controlled through WebRTC itself.
However, the web browser and operating system also have security systems that help protect WebRTC connections.
The three mandatory specifications we covered earlier work together like this:
SRTP encrypts the audio, video, and other data sent through the WebRTC session. If a bad actor gains access to this data while it’s in transit, they won’t be able to decrypt it or read it without the decryption key.
The DTLS-SRTP secure encryption key exchange enables all the devices communicating via WebRTC to securely exchange the session decryption key, so that the audio, video, and other data can be decrypted and viewed by the people on each end of the call. DTLS-SRTP has its own security measures in place to protect the decryption key and make it more difficult for bad actors to intercept both the decryption keys and the data being transmitted through the WebRTC session.
Even though WebRTC is a peer to peer communication service, most WebRTC communication requires connecting to a web server that manages the connection between all the devices connected to the WebRTC session. This server doesn’t handle much—if any—of the audio or video data. The server simply sends signals that enable devices in a WebRTC session to find each other on the internet and negotiate a connection. The signaling server also opens and closes WebRTC connections when calls begin and end.
The connection to the signaling server is protected with HTTPS, which is considered secure enough for online banking and government websites.
That’s how WebRTC sessions are encrypted at the protocol layer, independent of which browser or operating system you use. These encryption specifications protect all aspects of WebRTC communication, even if the connection is established outside of your other security measures.
Web browser security is a separate topic from WebRTC encryption. However, many WebRTC apps work in a browser. So browser security plays a role in WebRT security.
Just like WebRTC, web browsers are also required to meet security standards. Browser security standards are established by the W3C and supporting internet security specifications. As such, browsers have rather stringent security and privacy protocols.
Websites must be accessed through an HTTP or HTTPS secured connection. Users must grant explicit permission for websites to access hardware like the camera and microphone. Device information is protected. And browsers are not allowed to share IP address information without the user’s permission.
Your browser security may not secure the WebRTC connection itself. But your browser helps secure the supporting connections.
Desktop and mobile operating systems also have built-in controls that help protect end users. Most operating systems have similar security protocols as web browsers.
However, mobile operating systems require apps to be installed through the app store. The app submission process acts as an additional layer of security, since apps must be evaluated and approved before they are made available to the public. This helps protect users from malicious and poorly designed software.
WebRTC is an open-source tool. To many people, this appears to be a security issue, since the WebRTC source code is available to the public. This means anyone can write a WebRTC app, including bad actors.
However, the open source nature of WebRTC is actually a security benefit. Since the code is available to everyone, there are thousands—maybe millions—of professionals constantly testing and improving all aspects of WebRTC, including security. So bugs and security flaws are discovered and corrected much faster than they would be if only a small team had access to the WebRTC code.
Consequently, WebRTC evolves very rapidly. WebRTC security issues are corrected very quickly. And poorly developed WebRTC apps get ample feedback to improve their design.
Even though it might be a bit counterintuitive, keeping WebRTC open source makes it more secure in the long run than most proprietary technologies.
Ultimately, WebRTC encryption is absolutely necessary for secure WebRTC communication. However, if you follow the WebRTC encryption standards, you can create WebRTC connections that are secure enough for any type of real-time communication.
Contact our team of experts to learn more about how Telnyx keeps your communications secure.
Related articles