Understanding WebRTC security architecture

Web Real-Time Communications is the most secure open standard for real-time communications. That said, the level of security gained through its use depends in several ways on the application used along with WebRTC security architecture.

To better understand, let’s break it down into two components: why WebRTC is secure and why it is up to the application to maintain that security.

Why is WebRTC secure?

WebRTC was conceived about 11 years ago. At the time, the web had been around for quite some time, and the smartphone was prevalent and growing rapidly in popularity and adoption across the globe. WebRTC came into that environment with the goal of providing modern communications. Part of the idea was to provide security. As such, it was the only real-time communication protocol at the time that had encrypted communication baked into it. You couldn’t even opt out from its media encryption.

From the beginning, WebRTC was meant to fit into web browsers, which are our windows to the internet and connectivity with people. With billions of users, browser vendors are taking security seriously. Modern browsers are designed to be as secure as possible, with sandboxing technologies, automated upgrades and proactive security patching.

Google is in the lead with the most widely used WebRTC library. The same library is used “as is” inside Chrome and Edge browsers. This means developers everywhere can enjoy this implementation in their own applications.

Find out about the technical details that make WebRTC secure.

Where is WebRTC security lacking?

As a technology, WebRTC is secure, but it relies in several ways on the application using it. WebRTC’s reliance on the application comes in the form of signaling. WebRTC has no signaling mechanism of its own, so it uses the web application to send and receive its signaling messages and logic.

In every application, the biggest security threat is found in its weakest link. It doesn’t matter how strong the other links are; they can be unraveled if a threat vector is found somewhere. This means it’s up to web application developers to secure their WebRTC implementations.

The role of the application in securing WebRTC

As we’ve seen, a WebRTC application needs to secure itself. For that to happen, developers need to understand how security is handled in WebRTC and make sure they develop their applications with the same standards in mind. This includes securing the signaling channel, making sure media servers, TURN servers and application servers are not prone to any threats.

WebRTC goes a long way to show developers what they need to do, but developers need to pay attention.

What should enterprises do to secure their WebRTC communications?

Enterprises need to focus on two things when securing their WebRTC communications:

  1. Pick and choose vendors to work with. As with any other vendor selection process, it boils down to what metrics are used to measure communication vendors and their applicability to the requirements. The requirements need to take security aspects into account and not blindly rely on the vendor using WebRTC for its security.
  2. Be aware that users within the enterprise are likely to use other communication services, some of which use WebRTC. These nonsanctioned services will be used one way or another. Trying to block them is an exercise in futility that only frustrates employees further. Enterprises relying on VPNs to route and control web traffic need to select a VPN that understands WebRTC traffic enough to route it properly and to reconfigure browser policies accordingly. Enable User Datagram Protocol traffic to traverse the VPN and firewall to let WebRTC communications work when needed.

Leave a Comment