7

My understanding is that with the WebRTC peer-to-peer data API, communications between peers are encrypted via a modified form of SSL. Where are the keys for the peer-to-peer SSL connection generated, though? On the original web server that unites the peers, or on the peers' computers?

Update:

Also, assuming that the JavaScript delivered to their browsers is not already siphoning off their data, I'd like to know if the original uniting web server has enough information (keys, etc) to eavesdrop on the united peers encrypted communications, if the traffic was recorded, for instance.

John
  • 2,242
  • 2
  • 28
  • 45

1 Answers1

5

You are right encryption is mandatory for all WebRTC communications. All the communications are encrypted using Datagram Transport layer Security (DTLS), which is a derivative of SSL.

DTLS is build in to all browsers that support WebRTC. In short the the keys for the peer-to-peer SSL connection are generated by the peers and exchanged over the signalling protocol.

The Peers use a self signed certificate (asymmetric-key) based on RSA to exchange the symmetric keys they will use for the communication. The peers use Diffie-Hellman to generate symmetric keys.

For more details information see the following post

Ubaidah
  • 1,054
  • 6
  • 11
  • Ok, so assuming it provides trustworthy code, the server that unites the peers has no way of eavesdropping on the peers' communication? Also, I guess because the certificates are self-signed, the peers have no way of assuring each other of their identities, right? – John Apr 03 '14 at 16:01
  • 1
    Well, self-signed certificate is not immune against Man-In-The-Middle (MITM). However, with integrity verification the peers reduce the risk of MITM attack. If the signalling server is trusted then you should have no problem with MITM. The self-signed certificates are for symmetric key exchange not for mutual authentication. – Ubaidah Apr 03 '14 at 23:02
  • 1
    Link might be broken? http://www.metaswitch.com/the-switch/webrtc-and-sbcs-part-3-encryption – Flo Schild Feb 01 '17 at 23:58
  • @Flo-Schield-Bobby yes, thank you for letting me know that I will edit my answer. – Ubaidah Feb 02 '17 at 00:48
  • You're welcome :) Using RTCPeerConnecrion in JavaScript, does anything needs to be done client and/or server-side to set up DTLS ? I mean more than HTTPS + WSS ? Do you know what is the goal of RTCCertificates ? – Flo Schild Feb 02 '17 at 00:52
  • 1
    @Flo-Schield-Bobby Well, from my experience you do not need to do anything in particular if you are using any browser that supports WebRTC. RTCCertificate is the certificate that the peers use to authenticate each other. One interesting article about how WebRTC works and the security issues is http://webrtc-security.github.io/ – Ubaidah Feb 02 '17 at 17:38