Arranged. The good news is that WebRTC is very secure. The bad news is that no system is without flaws and WebRTC security is complicated. In this post, I will discuss how WebRTC approaches security, identify some known weak areas, and discuss how WebRTC is continuing to improve its security. Visual studio code browser.
Multiple Security Approaches
WebRTC is a complex, layered protocol that exists in a complex layered ecosystem of application code, browsers, native devices, and infrastructure elements. WebRTC approaches security from several different angles. First, it is secured at the protocol level. Second, using the browser as a reference, it requires a protected and private execution environment. Third, it follows best security practices by engaging its community of developers.
As of 2019, this demo is now 100% Plugin-free!! No Chrome extension! No Firefox addon! Share screen from Chrome, Firefox or Edge.
Disabling WebRTC in Mozilla Firefox. Go to the URL bar, type about:config and press enter. Firefox will display a warning message. Click on I accept.
WebRTC Control is a simple multi-browser (Firefox, Chrome and Opera) extension to enable users have full control over WebRTC Leak. Toolbar button serves as a toggle button to quickly turn the addon ON of OFF. Once the Addon is active, it prevents your ip from leaking by WebRTC detection. Statutory is a free browser add-on for the Firefox web browser that puts you in control. Instead of disabling WebRTC outright, it displays notifications on pages where it is being used. You may accept or deny the request then and there depending on whether the request was initiated by you or by the site.
Unlike other VoIP and video conferencing technologies, encryption is mandated in WebRTC. To send video, voice, or data between two peers in WebRTC, the information must be encrypted with Secure Real Time Protocol (SRTP). SRTP encrypts the session, so no one can decode the message without the proper encryption keys. In fact, the unencrypted version of RTP is explicitly forbidden by the IETF specifications that define WebRTC.
Mandatory Secure Encryption Key Exchange
In addition, the WebRTC specifications mandate secure setup of the encryption channel to make it difficult to obtain the encryption keys. Locking your house doesn’t do much good if it is easy to find the key under your doormat. Many key exchange mechanisms such as SDES, MIKEY, and ZRTP may be used to set up this encrypted channel. Systems like SDES and MIKEY leverage the signaling channel to transmit this key data. This means if the signaling channel is compromised, the data could be unencrypted by a third party. To prevent this possibility, the WebRTC specifications mandate the use of DTLS-SRTP where keys are exchanged directly between peers on the media plane. Despite the fact that SDES is still widely used in many VoIP systems, it is specifically barred from use in WebRTC because it is not secure enough.
Secure Signaling
Lastly, WebRTC requires a secure connection between the web server that handles signaling and the peer client. This helps to keep the information in that signaling channel secure and makes it more difficult for an attacker to act as a man-in-the-middle and quietly take over the session. Signaling is secured using the HTTPS protocol — the same one most websites now use.
WebRTC security points in a peer-to-peer architecture providing end-to-end encryption
In live streaming environments, the server acts as both a signaling server and WebRTC media peer, but the same secure interfaces are used.
Webrtc Firefox Addon
WebRTC security points in a live streaming architecture like Wowza Streaming Engine
WebRTC Is Secured by the Browser
WebRTC is further secured by operating in a browser sandbox. Web browsers are the most commonly used applications and have developed sophisticated security and privacy features. These features help to isolate web applications, keep sensitive user information like credit cards secure, and project hijacking of the browser to launch attacks.
Browser Security and Privacy Protections
Browser vendors are subject to strict security standards as defined by the W3C and underlying Internet specifications, like those for the WebRTC protocol. This is one top of security mechanisms at the Operating System level like limiting which applications can use the camera. Competition among major browsers like Chrome, Firefox, Edge, and Safari among others has also made them very sensitive to their users security and privacy needs in general, and particularly for WebRTC. Specific examples of WebRTC security and privacy controls include:
HTTPS: Use of HTTPS is required to access WebRTC features (with some small exceptions for development)
Media access permissions: Users must explicitly grant permissions to individual sites before accessing camera, microphone, or screen sharing video
Visual usage indicators: Prominent indicators must show when your camera, microphone, and screen sharing is being used.
Anonymizing device information: Device information remains hidden until the user has given some permissions for the site.
IP leakage protections: Limitations and options on sharing IP address information help avoid privacy and tracking issues.
Implementation of these features does vary, but most are similar across major browsers.
Mobile OSs Have Similar Controls
Many native mobile applications also incorporate an embedded browser framework to utilize some or all of these features. Even if not using an embedded browser, major mobile operating systems like Android and iOS implement similar controls and have additional security and privacy checks through their app store submission procedures.
WebRTC Is Secured by the Community
There are 2 main philosophies to security:
Security by obscurity: Keep the mechanisms of your system secret to make it harder to discover and compromise.
Security by design: Make the mechanisms of your system open, invite others to try to break in, and improve the design through feedback.
Security researchers and organizations generally do not condone the first philosophy. For example, the National Institute of Standards and Technology (NIST)says “System security should not depend on the secrecy of the implementation or its components.” It is well known that secrecy never lasts forever, especially in the face of motivated adversaries.
WebRTC subscribes to security by design philosophy. Communications across browsers and devices over the Internet requires open standards, so WebRTC has little choice at the protocol level. However, for security by design to work, it needs to have broad scrutiny. The browsers that run WebRTC are all open source (e.g., WebKit for Safari, Chromium for Chrome & Edge, Gecko for Firefox, etc.) and thoroughly tested. The core WebRTC project is also open source and accompanied by dozens of different implementations actively supported by thousands of developers who are constantly reviewing and improving WebRTC in all aspects, including security.
Security Depends on the Service
WebRTC mandates encryption at the protocol level. It is subject to rigorous privacy and security controls when run inside a browser environment, but what about services that don’t use the browser? While WebRTC is primarily designed for browser-to-browser communication, many different infrastructure devices are commonly used in WebRTC services.
The table below summarizes common types of WebRTC server infrastructure and high-level security implications:
Inherent Internet Security Issues
Signaling services are essentially web application servers and need to be secured like any application. Users should be weary of who they are connecting too. Fortunately, browser and app store safeguards minimize bad providers – but bad users are another problem. “Zoom bombing” is an example where someone obtains video conferencing meeting information to join and disrupt the meeting. WebRTC service providers can prevent this by giving their users authentication mechanisms that restrict entry to authorized users and leverage moderation controls to remove and block bad actors quickly. For example, Wowza has APIs that control WebRTC stream access and duration.
Media Server Risks
While other servers like STUN and TURN are sometimes needed, these never gain access to unencrypted media, and thus don’t present much of a risk. Other servers, particularly media servers like Selective Forwarding Units (SFUs) that enable multi-party video conference calls or live streaming servers, introduce more difficult risks. These servers decrypt the media before restransmitting it with new encryption keys. Oftentimes this decryption cannot be avoided. If the media server needs to manipulate the media then it must perform decryption to access that media. For example, in live streaming networks, the media server needs to decrypt the media to resize, recompose, and convert the format for use by a Content Delivery Network (CDN).
If these servers are compromised, then the user media streams could be at risk. It is important that media server operators follow best security practices when deploying their infrastructure and managing people to prevent unauthorized access. Much like browsers do for end users, these servers should avoid unintentional caching of sensitive unencrypted data. Sensitive information should never be at rest where an attacker could access it. The servers should also isolate the media streams internally from from other processes that could nefariously access it.
The level of security will also need to vary based on the application. For example, recordings may be needed for archiving and intentional redistribution. In that case the stream will certainly need to be saved to disk and made available, but that should be done in a controller, secure manner.
Is WebRTC Secure Enough?
No software system is perfectly secure, and WebRTC is no exception. For example, a Google Project Zero security researcher recently published a major exploit that worked on 7 out 14 of the most popular Android WebRTC applications. One one hand, it is very bad that such a serious issue could have made its way into applications used on billions of devices. On the other hand, the fact that there is deep security vulnerability research done in the public domain and that all but one of these applications rapidly fixed their issues is encouraging.
Like most software, there are a few general rules WebRTC developers can follow to minimize their attack surface for vulnerabilities:
Keep core WebRTC libraries up to date. Old code generally has more vulnerabilities.
Pay attention to bugs and security notices. Major WebRTC projects and browsers are generally very proactive in their notifications (if you know where to look).
Turn off pieces of code you don’t use. WebRTC is a large and comprehensive system that many apps only need a part off; minimize the attack surface.
Test and conduct RTC-specific security research. If you don’t find your issues, someone else will eventually.
Secure your infrastructure – WebRTC may be secure, but if your web or media servers are insecure it could compromise the system. For example, features like Wowza’s publication authentication features to limit the attack opportunity for stream hijacking.
WebRTC is used every day by billions of people. Its security is certainly not perfect, but it provides the most secure approach by mandating security at a low level, working with an established security sandbox in many cases (the browser), and encouraging review by a large and very active community.
Additional Resources:
About Chad Hart
Highlights
Firefox 49 was released and release notes can be found here. In this post we are covering 3 main topics from the release note.
Better support for specs and synchronization with Chrome – This comes to close gaps Firefox had with the specs themselves and the implementation in Chrome. There are several sub-items to this one
Improved bandwidth management – This topic includes a groups of SDP related items that allow for unidirectional media and better bandwidth handling
NAT traversal tests – This item is about a SW NAT server developed by the Mozilla team to allow for testing NAT traversal in different NAT topologies
Impact on my application
Has immediate impact on those supporting Firefox in their application.
Implementation status
Firefox 48 is the current stable version so version 49 will become a stable release in the coming weeks.
Details
Better support for specs and synchronization with Chrome
Several bugs reported for Firefox were related to non-compliance with the standards. These are now fixed. The getUserMedia Specs are considered final, so fixing these issues is very good news for all apps out there. The webrtc specs (add stream, add track, ….) are less advanced (in the standardization process) but quite stable nowadays, and this is a good step forward as well.
Most of the APIs changes in Firefox 49 represent changes from the original PeerConnection API to the object model API. Media Streams lose some of their importance, becoming mainly containers, and tracks become the main objects, with corresponding APIs to manipulate them.
Of course, adapter.js is updated accordingly by the Firefox team and is still the recommended way to support WebRTC APIs while the specs are not final.
Here is the list of bugs fixed:
Added support for MediaStream.getTrackById(). (See bug 1208390.) You cannot query a track by it’s ID directly, as per the specifications. Tracks become their own objects, mostly separated from mediastreams.
getUserMedia(cam+mic) is now all-or-nothing. The MediaCapture and Streams spec [1] says that sites requesting both camera and microphone at the same time, must get both or nothing (in the form of an error). (See bug 802326.) – Implementation has now changed to conform with this so in case of failure getting either mic or camera an error will be returned and both media sources will not be received by application.
Aligned with spec: Fixed issue where ontrack and onaddstream fired too late. (See bug 998546.) – The onAddStream event is supposed to be fired almost as soon as the remote Description was set, independently of the number of tracks, and independently of the negotiation being over or not. However, early implementation in firefox would wait for all the track information being available before they fire this event. In most cases, it would result in a much longer delay than necessary before the event gets fired. In some very unfortunate cases (where the stream has no track), a stream would be created but the event would never be fired! This version of firefox fixes that.
Allow any MediaStream to be passed to RTCPeerConnection.addTrack. (See bug 1271669.) – In earlier versions of firefox, medistream was a full object that would own addTrack allows now to be passed in a MediaStream which does not own the track. The MediaStream is mainly used as an identifier / accessor.
Improved bandwidth management
Webrtc Control Firefox Extension
The SDP specs include a lot of features that are not mandatory with WebRTC but can be useful. Some of them have been included in Firefox 49.
a=inactive allow to negotiate unidirectional media (I’m sending you my video, but I’m not expecting you to send me yours).
b=TIAS is one of the SDP lines that allow bandwidth handling, but with a different granularity than the already supported b=AS.TIAS is for setting bandwidth limitation by controlling only the maximum size of payload (media itself) that is being sent in a packet. b=AS on the other hand includes all that goes on the wire including transport overhead. Note that: 1. While Chrome supports usage of b=AS in the SDP, internally it computes TIAS metric. 2. The WebRTC specs point to TIAS and not AS.
REMB and TMMBR are two feedback mechanisms of RTP send media used for bandwidth congestion control, including the speed of ramping up bandwidth consumption at the beginning of a call (how fast it increases bandwidth consumption until congestion occurs). While enabling them can lead to slower set up of a call in full resolution, enabling this provides better stability all together.
REMB is a proposed standard by Google, and has been included in Chrome, and the WebRTC stack, for some time now. Firefox 49 decided to go for the more established and standardized TMMBR. However, while implementing, they realized that adding REMB support was a compilation flag away (since Firefox use parts of the same WebRTC stack as Chrome). Those mechanisms have been both added, and are turned on automatically.
Here is the list from the Firefox release notes:
Properly handle a=inactive in the remote SDP during renegotiation. (See bug 1213773.)
Implement receiving ‘b=TIAS’ on media description to restrict sending bandwidth. (See bug 1276368.)
REMB is now enabled by default. (See bug 1155435.)
Enabled TMMBR support by default. (See bug 1270230.)
Firefox Webrtc Internals
NAT traversal tests
Firefox Webrtc Disable
The Mozilla team has developed a full software NAT server (in python) to test ICE against. While not as versatile as the NTT approach [slides here], it allows for testing of many if not all NAT configurations without setting up virtual networks.
Webrtc Control Firefox
Mentioning in the Firefox release notes:
Webrtc Control Firefox Browser
Automated tests now include NAT simulation and TURN server mochitests. (See bug 1231975 and bug 1231981.)