4

I am building a WebRTC application, and really concerned about security.

I have read this quite interesting article : https://webrtc-security.github.io

As I am far from being an expert in networking security, I just want to confirm that I am doing it right, and what things should I potentially worry about.

  1. Origin

    • The WebRTC "room" is hosted on a website over HTTPS (LetsEncrypt).
    • I force the JavaScript APIs to generate ECDSA certificates whenever possible (not exactly aware of the role of those certificates however?!)

  2. Signaling

    • I built a websocket signaling server accessible over WSS.
    • This signaling server needs to receive an "authentication" special message, containing a valid RFC7519 JsonWebToken (checking origin and expiration), before it actually allow to forward SDP offers, answers and ICE candidates. All JWT are encrypted with a 4096 bits private key.
    • Once authenticated, this JWT is no longer needed, as the WebSocket server will consider a connection as authenticated untill disconnection

  3. Networking

    • I have set up a TURN server (resiprocate-turn-server) using TLS aswell, accessible for STUN and TURNS protocols :

stun:stun.my-domain.org:3478

turns:turn.my-domain.org:5349 (requiring valid username and password)

  • Should I restrict the access to this STUN server to some domaine origins ?

As a web developer, do I need to worry about kind of MITM attack (actually any kind of attack?)

Flo Schild
  • 141
  • 5

1 Answers1

2

This is actually a really good question, and my answer is I am not 100% sure ... so I will tell you what I know and what I suspect and how to test it.

First off, if you are using WSS your server end is good to go. Using WSS over WS is effectively the same as using HTTPS over HTTP.

Now the tricky part ... If you have clients A & B both connecting to server C with WSS ... and then you use STUN & TURNS, I would suspect that A would connect to B with the same WSS connection that each of them was previously using for connection with server C. Key Word being SUSPECT

Since I dont have a https enabled STUN & TURNS server readily available to me for test, I personally can not test it and tell you everything is fine. However, if you put wireshark on clients A & B you should be able to monitor the traffic between them ... and if it is not coming across the line using clear text ... then yes, the encryption holds.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • Thanks for pointing the network inspection, I'll try to see if I can install WireShark on different machines :) However, I am not sure to understand what you mean by "A would connect to B with the same WSS connection", WSS connections are connections from client to server, not peer-to-peer? – Flo Schild Feb 05 '17 at 09:13
  • stun and turn are used to do p2p between browsers ... see https://www.html5rocks.com/en/tutorials/webrtc/infrastructure/ also https://en.wikipedia.org/wiki/STUN – CaffeineAddiction Feb 05 '17 at 11:26
  • Yes, that I know, what I not get was the point on WSS, over TURN ? – Flo Schild Feb 05 '17 at 12:21
  • 1
    When the two clients change from talking through the server to talking directly I am not sure what happens in terms of authentication and key exchange ... I assume they are talking p2p over wss and that it is still encrypted, but to be honest I have never tried it myself. – CaffeineAddiction Feb 05 '17 at 12:53