What you Need to Know About WebRTC Security
by Greg Batenburg, on March 20, 2019
It takes trust to place your confidential business information and sensitive conversations into the care of a video conferencing technology. Especially when you hear about security breaches in the news nearly every day.
In 2019 the group FaceTime bug was an example of how video conferences could become compromised. Although in that case the FaceTime group calling feature was disabled and a fix was quickly released, it raised questions about video conferencing security.
With video conferencing being a valuable and important part of doing business, it is vital for organizations to choose a secure video solution. When it comes to communications security, Web Real-Time Communication (WebRTC) is one of the best live video streaming options out there. Let’s explore how this technology was architected so that you can be confident that your conversations and information are kept safe.
WebRTC allows users to set up video connections directly between browsers and devices without the use of plugins. The protection provided by the browser is an important differentiator from other video conferencing technology. Browsers help to add security protection in a number of ways:
No more Plug-Ins
Without WebRTC, a plug-in must always be installed on the client's computer/device prior to starting a video conference. This adds a level of risk to the video conference for a couple of reasons. First, nefarious actors are able to design malicious plug-ins that are designed to put you at risk. While some of these can be easy to spot, others are disguised to look like their reputable counterparts. Second, even reputable plug-ins can have vulnerabilities. They may serve a legitimate (and useful) purpose but they can have vulnerabilities that could be exploited by a third party. WebRTC is inherently safer, because it does not use plug-ins. It removes the risk associated with malware or other undesirable software installations that may be disguised as a plug-in.
Fast Security Patches
Major browser vendors like Apple, Google, Microsoft and Mozilla take security very seriously. When a security risk is discovered internally by their teams, or externally by hunters for bug bounty programs, they create and deploy patches extremely quickly, often far quicker than UC platform vendors. While security loopholes can still theoretically be uncovered, users of WebRTC can remain confident that those issues will be addressed expediently and automatically.
Automatic Software Updates
The major browsers also offer automatic software updates. This allows any potential security threats to be addressed without the end-user needing to opt-in to the update. Relying on your employees or other end users to stay up to date with software updates is inherently unreliable. While some users may be diligent with their updates there are others who will ignore, delay or forget which can put organizations at risk. WebRTC security benefits from automatic browser updates mitigating all of this risk.
We’ve all heard the stories of webcams being hijacked by a third party to record private conversations. For instance, the FaceTime bug mentioned above allowed users to listen in on the people they are calling and even see through their camera, without them answering the call.
But the WebRTC specification takes active measures to ensure that issues like the FaceTime bug can never happen. First, it is not possible for a WebRTC application to arbitrarily gain access to your camera or microphone without your consent. While an application or website is allowed to ask the user for one-time or permanent access, it is not able to gain access without express permission. When a media request is made, a pop-up window will ask your permission to access your device before transmitting any information. Furthermore, whenever a device is in use, WebRTC requires that the browser UI clearly indicates when a microphone or camera is in use so you can be sure that there is no risk of potential eavesdropping.
Encryption is a mandatory part of Web Real-Time Communication and is enforced on all aspects of establishing and maintaining a connection. It makes it effectively impossible for someone to gain access to the contents of a communication stream because all media streams are securely encrypted through standardized and time-tested encryption protocols. Only those applications with the secret encryption key are able to decode the streams.
The best practice for this is to use perfect forward secrecy (PFS) ciphers in a DTLS (Datagram Transport Layer Security) handshake to securely exchange key data (this is the method Frozen Mountain uses). For audio and video, key data can then be used to generate AES (Advanced Encryption Standard) keys which are in turn used by SRTP (Secure Real-time Transport Protocol) to encrypt and decrypt the media. This acronym-rich stack of technologies translates to extremely secure connections that are impossible to break with current technology. Both WebRTC and ORTC mandate this particular stack, which is backwards-compatible and interoperable with VoIP systems.
HTTPS - Added Protection
WebRTC has taken security a step further by introducing new requirements that stipulate that WebRTC enabled connections can only be established over a secure connection. This means that all WebRTC applications must be (Hypertext Transfer Protocol Secure) HTTPS compliant.
The "S" in HTTPS is responsible for authenticating the website as well as encoding data exchanges on the website to protect your data transmissions from hackers or other malicious parties. This means that not only does the page need to be secure in order for a connection to be established, it also means that the server you communicate with from that page also needs to be secure.
Frozen Mountain Security
Perfect Forward Secrecy (PFS): The highest level of security possible for a real-time communication. This ensures that your session keys will not be compromised even if the private key of the server is compromised. Frozen Mountain uses PFS as the default for every single session.
Independent Connection Security: At Frozen Mountain, every connection's security is negotiated independently of every other connection - breaking the system would not only require techniques not known to mankind today, but would also require the malicious attacker to start over with every new connection.
Data Records: Audio, video, data streaming and text messages are wiped from memory as soon as they are delivered, and nothing is stored on a disk unless the customer expressly adds and enables audio and video recording. Meaning you can be confident that your confidential conversations will not get leaked.
WebRTC has big advantages over other video conferencing solutions in the area of security. Whereas some applications treat security as optional, WebRTC mandates security as part of the specification. So if you are considering using WebRTC for your real-time communications, you can rest easy knowing your conversations are safe.
Need a highly secure WebRTC solution? We've got you covered. Check out LiveSwitch -- the massively flexible, highly scalable video conferencing solution.