WebRTC security and privacy are top of mind. You won’t find any other open standard VoIP protocol as secure as WebRTC.
[In this list of short articles, I’ll be going over some WebRTC related quotes and try to explain them]
Time for a quick security check…
Here are some concepts that are true when it comes to security, privacy and WebRTC:
- Security often requires sacrificing privacy
- Privacy often requires sacrificing security
- WebRTC is an attempt to balance the two, and let the application developers figure out which one their focus is going to be on – without sacrificing either security or privacy more than is needed in the process
But what does that exactly mean?
You remember that WebRTC is only a building block. Right? This means that it can’t offer full privacy or full security, since there’s an application developer on top, who can… well… screw things up.
If your developers don’t think about the security and privacy necessary, then your WebRTC application will look like this:
But if they do think about it (and they should, no matter what they are developing), then you should have security and privacy nailed down properly.
What WebRTC gives you when it comes to security and privacy?
- Encryption at transit
- Traffic is always encrypted between one WebRTC entity and another
- It is up to you to figure out how to maintain it if you need to – for example, using media servers likely means media is available in the clear on the media server
- Short development cycles
- WebRTC has a new version released every month – because that’s the release cadence of Chrome
- It means the client code on the browser can be refreshed and updated frequently, which makes patching up security issues easier on that front
- You will need to figure out how your own release cadence for your native clients and your server infrastructure, especially when it comes to security patches
- Open implementation
- This means people can scrutinize the actual protocol and its implementation
- Over time, this leads to more secure solution, as more eyeballs can review what’s going on
- You can learn more about open vs closed security here
- Shoulder of giants
- Google Chrome, Apple Safari, Microsoft Edge, Mozilla Firefox
- Together they power most of our browsable internet
- They do it at scale, and securely (for the most part)
- All of them integrated WebRTC into their browsers, and they adhere to high security standards
- Would you rather trust a proprietary solution from an unknown/smaller third party instead?
- Modern
- Other VoIP standards are older
- As such, they were conceived and written before our modern era of cloud and smartphones
- This means they adhere to different threat surfaces than what is needed today
Security
Need security?
WebRTC has the mechanisms available for you
- It is encrypted
- Requires signaling to be encrypted
- Enables end-to-end encryption via media servers by using Insertable Streams
Privacy
Need privacy?
WebRTC has the mechanisms available for you here as well:
- It is encrypted
- Can run peer-to-peer, without any media servers touching the media itself
- You can use the data channel to “hide” data from passing through servers altogether (once a connection is established between the peers)
- Your decision on where you install and manage your infrastructure to add to the privacy you offer
⬇️⬇️⬇️
Care about security? WebRTC is your best choice moving forward. But it won’t take the responsibility off your back.
Two pointers for you before you go: