The theme of browser security pops up from time to time when another IT media raise the issue of using Flash in your browser from the privacy policies point of view. For a regular Internet user such kind of issues can be avoided by following a few simple rules: keep the browser and plug-ins up to date, use common sense and do not download or run executable files from web sites which you are not sure you can trust, do not open attachments of weird emails (or even better ignore such emails – spam filters are there for a reason). But everything becomes more severe when we talk about B2B communications.
WebRTC apps development is gaining popularity nowadays. WebRTC is the technology that can be used for developing applications for real-time communications between the users using peer-to-peer connections. It allows exchanging data, files, messages, video and audio with no need for any servers right from a web browser. Due to WebRTC, browsers can compete with familiar and well-known applications such as Skype.
Such real-time communication applications can be used for making business calls and organizing online business meetings or negotiations. According to the statistics, 2016 was marked by the phenomenal growth of WebRTC popularity.
This increase in technology usage applies to both web and mobile applications. According to the stats collected by the Google company, there are two billion Chrome browsers with WebRTC, one billion minutes of audio/video data that is sent via WebRTC apps on Chrome per week, more than 1000 businesses and products based on WebRTC, five billion downloads of mobile applications that work with WebRTC.
Such popularity is another reason why the security issues of real-time communications are so important. If you use the unencrypted media, it can be intercepted by the malefactor during the transmission process. During the communication between browsers, third-party will be able to see all data sent. WebRTC uses some protocols that help avoid the possible undesirable consequences caused by insecure connections. Next, we’ll talk about them in more detail.
An Insight Into WebRTC Security Protocols
WebRTC allows exchanging media streams (video chat apps) and data such as files or photos, for example. Depending on the data type, WebRTC uses one of the available security protocols: SRTP for streams and DTLS for other kinds of data. Let’s look at them in more detail.
WebRTC SRTP Protocol
SRTP (Secure Real-time Transport Protocol) is the protocol that is used for multiplexing the media streams. It also provides congestion control features, helps to control the flow, and ensures the delivery of the data on the acceptable level. When you use WebRTC app to initiate the calling procedure by sending a request to the person that you want to chat with, SRTP will guarantee that the media channels are secured with the encryption keys. It also provides you with data integrity protection features to confirm the authenticity of the message and to protect its integrity.
WebRTC TLS Features Support
The TLS (Transport Layer Security) protocol like its predecessor SSL (Secure Sockets Layer) provides the client-server applications with the possibility of data transmission that is protected from unauthorized access. When a client connects to a server, they need to establish a secure connection. To do so, the client provides a list of supported encryption algorithms. The server chooses the most reliable among them and informs the user about this choice.
Then, the server sends a digital certificate for its authentication to the user. Then, the user should check the validity of this certificate. After that, to ensure connection security, the session keys are generated. To provide the chatting application with the required level of security, WebRTC uses the DTLS protocol that is based on TLS.
WebRTC DTLS Protocol
For the security of data transfers, WebRTC uses the DTLS (Datagram Transport Layer Security) protocol. It’s important to note that according to the standards, all data sent by WebRTC application should be secured using DTLS with no exceptions. This protocol works within each browser that supports WebRTC.
It means that there’s no need in any prior setups to make sure that it works. It was designed to avoid eavesdropping and information tampering. The DTLS protocol was designed upon the stream-orientated TLS. It guarantees full encryption with asymmetric cryptography methods, data authentication, and message authentication.
Nowadays, TLS is one of the most important standards that is used not only by WebRTC. It forms the web encryption as we know it. TLS is used for the purposes of another well-known protocol: HTTPS. DTLS is also a derivative of SSL. Thus, when you use the WebRTC based browser application, you can be sure that all your data as secure as if you use the SSL based connection.
P2P Communication Trends
WebSocket API
Of course, WebRTC is not a single option if we talk about creating web communication apps. The WebSocket protocol provides a user with the full-duplex communication channels that work over the TCP connection. It was designed for exchanging real-time messages between the browser and a web server.
Using WebSocket API, you can create client or server applications with almost no restrictions in functionality. It’s based on the TCP protocol and allows closer interaction between the browser and a website.
Tons of web tools like Pusher, for example, can simplify the development of WebSocket applications with multiple clients, so you can be sure that you won’t face the lack of infrastructure if you chose WebSocket as your main development technology. The bad thing is that browser can not receive the WebSocket connections. The API specs only define the way of starting the outbound connection. Thus, this technology doesn’t allow creating browser-to-browser communication apps.
WebRTC API
WebRTC API, on the other hand, allows creating a data channel between two browsers. Using the RTCDataChannel interface, you can create a high-performance browser-to-browser communication channel. This API is simple to use, and it works similarly to the WebSocket API. So there won’t be any troubles to retrain your developers if you choose to switch to WebRTC.
Since communication occurs directly between the browsers bypassing any servers, RTCDataChannel works much faster than WebSocket. The high-speed serverless connection can be crucial in case your business requires regular web chatting with your colleagues and partners from all over the globe. Talking about the development tools, in the case of WebRTC, you can pay attention to PeerJS. This library is pretty popular among developers at the moment. It works as a wrapper for the WebRTC implementation within the browser and can simplify the creation of the chatting app.
Web Real-time Communications from the Security Point of View
From the practical point of view, real-time communication apps based on WebRTC allow using all the essential features that you might need. You can send and receive messages from the members of your contact list. If necessary, you can create a group chat. If you want to get everything the modern internet technologies can offer, video and audio calls are available as well. Group video calls can help you to organize an online conference between your teammates and colleagues. To see how such applications work you can check our YouTube video below. It demonstrates the possibilities of the WebRTC web application that we’ve developed.
But being an open-source project, WebRTC may cause some doubts about its security level. Particular attention should be given to the possibility that a malefactor can eavesdrop the conference during corporate negotiations. The career of a vast number of people and the success of the project can be at stake. Let’s summarize the current state of affairs to check if there’s something to worry about.
Some Special Features of WebRTC Communication Apps
No additional plug-ins or add-ons
First of all, web communication apps built with WebRTC don’t require any additional plug-ins or add-ons. This technology allows sending data directly from browser to browser. Thus, you don’t have to worry that your computer will be infected by spyware, virus, or any other malicious software. Exchanging unencrypted data can cause potential eavesdroppers since your data is vulnerable to the so-called man-in-the-middle attacks. If you want to have a guarantee that nobody besides your users can read the messages, you have to make sure that your communication software should support End-to-end encryption.
End-to-End Encryption (E2EE) between the peers is enabled permanently by default according to the WebRTC security standards. Despite the browser you use, you can be sure that your peer-to-peer connection is safe.
The use of Datagram Transport Layer Security (DTLS) and Secure Real-Time Protocol (SRTP) that we discussed earlier will guarantee the safety of your data and video/audio streams during transmission via the WebRTC application. These protocols are already built into compatible browsers.
No camera/microphone
WebRTC software won’t use your camera or microphone unless you enable access to them. A popup window will ask you to allow the application access.
In the case of using VoIP (Voice over Internet Protocol) systems, WebRTC based applications use WebSockets protocol over a Transport Layer Security (TLS) secured connection. This feature allows creating a secure connection which is verified by a trusted Certificate Authority (CA). After the certificate verification, you can be sure that there are no risks of potential eavesdropping.
As you can see, WebRTC security policy is focused on ensuring data transmission security whether your intention is to send some files or use online chatting features. According to the standard, the security protocols are enabled by default, so you can be sure that all valuable data will be safe.