12

WebRTC makes use of TURN-Servers if the direct peer to peer connection fails. There are two protocols available: TURN and TURNS (TURN over TLS).

According to the MDN:

All data transferred using WebRTC is encrypted.

If all data sent via a data channel is end to end encrypted with DTLS by default, why does TURNS even exists?

Isn't TURNS only encrypting the connection between the server and the client?

Wouldn't that be unnecessary overhead?

EDIT - Why not simply use plain TURNwithout any server/client encryption? I know what TURN-servers are used for, but I do not get why we would want to encrypt the connection to the TURN-server. Because of the DTLS encryption between the peers, the TURN-server cannot read any of the transferred data. Hence nobody else can, so why even bother adding another layer of encryption?

Someone else
  • 121
  • 1
  • 5
  • Similar question for STUN: https://security.stackexchange.com/questions/139707/what-information-can-be-leaked-via-unencrypted-stun-transmission – baptx Mar 04 '21 at 22:56

4 Answers4

7

One reason is for better firewall traversal. You can get past some stricter firewalls with TURN/TLS over port 443 to disguise WebRTC traffic as HTTPS traffic.

Phil
  • 71
  • 1
  • 2
3

In addition to better firewall traversal. Without wrapping the TURN payload in TLS, An eavesdropper would be able to see the IP address of the peer (the destination of the relayed traffic). Depending on your threat model this may or may not be important.

Excerpt from the RFC

The primary protocol content of the messages is the IP address of the peer. If it is important to prevent an eavesdropper on a TURN connection from learning this, TURN can be run over TLS.

rfc5766#section-17.1.6

Community
  • 1
Abdurrahman Murat
  • 31
  • 1
  • Isn't the TURN server receiving/sending packets from/to the each peer? The IPv4/6 source/destination addresses and ports can't be protected with TLS, else the packet couldn't be routed to its destination. – thinkski Aug 30 '21 at 23:20
0

From my understanding Traversal Using Relays around NAT (TURN) seems more aimed towards better traversal of firewalls behind NAT, RFC5766. So, although the TURN server handles encryption (like a web server handles HTTPS), it's not the primary use of TURN servers.

TURN Server

If direct communication is allowed, but the firewall blocked signalling, no initiation would take place: no P2P communication would be established.

WebRTC

Image source, and further explanation

TURN's purpose of firewall traversal could equally be achieved by using an SSL VPN or OpenVPN to circumvent restrict firewall(s).

Community
  • 1
safesploit
  • 1,827
  • 8
  • 18
  • 2
    This answer doesn't seem to include anything about the difference between TURN and TURNS. – Macil Apr 30 '18 at 23:58
  • 1
    Thanks for your answer! :) But my question aims at why we need to encrypt the TURN connection with TLS. As far as I understand TLS is obsolete in this case. – Someone else May 01 '18 at 08:18
0

There are three transport modes - TURN/UDP, TURN/TCP & TURN/TLS. Depending on LAN FW policy, browser will select the least restrictive transport mode.

Aswath Rao
  • 1