Because WebRTC is an open-source platform, those new to the idea of browser-based real-time communications may understandably have some concerns over the security of WebRTC systems. How easily can hackers eavesdrop private video conferences? Can they gain access to VOIP calls? We’ve put this post together to take a closer look at WebRTC security and to explore just how safe browser-to-browser communications are.

WebRTC Security

Built-in Security Features

In essence, downloading any software from the internet carries an inherent risk that your PC may become infected by a virus, malware, spyware or various other ‘bugs’ that threaten the security of your data. As such, the principal solution to combat viruses is to install firewalls and anti-malware software that work to defend your computer against any potential threats.

With WebRTC however, there’s no need to worry about any of that. Because WebRTC works from browser to browser, you don’t need to download any software or plugins in order to set up a video conference or VOIP call. All the security that you need is already contained within your browser and the WebRTC platform. Some of the in-built security features contained within the WebRTC platform include:

  • End-to-end encryption between peers
  • Datagram Transport Layer Security (DTLS)
  • Secure Real-Time Protocol (SRTP)

End-to-End Encryption

Encryption is built in to WebRTC as a permanent feature and addresses all security concerns effectively. Regardless of what server or compatible browser you’re using, private peer-to-peer communication is safe thanks to WebRTC’s advanced end-to-end encryption features.

Data Transport Layer Security (DTLS)

Any data that is transferred through a WebRTC system is encrypted using the Datagram Transport Layer Security method. This encryption is already built-in to compatible web browsers (Firefox, Chrome, Opera), so that eavesdropping or data manipulation can’t happen.

Secure Real-Time Protocol (SRTP)

In addition to offering DTLS encryption, WebRTC also encrypts data through Secure Real-Time Protocol, which safeguards IP communications from hackers, so that your video and audio data is kept private.

Camera and Microphone Security

Unlike some other video and audio conferencing software, WebRTC requires the user to enable access to their microphone and camera before communications begin. Typically, a pop-up box will appear in your web browser, asking you to allow the program access. The image below shows what a webcam and microphone permission pop-up might look like on a chrome browser.

Camera permission

Image credit:

Different browsers enable access in different ways. For example, with Chrome, once you have granted permission once, your browser will generally remember your choice and always allow access from that particular software or website in the future.

Firefox however, enforces one-time permissions, meaning that every time that software or website tries to access your webcam and microphone, you’ll need allow access on every single occasion.

Chrome, Firefox and Opera browsers also indicate when you’re part of a WebRTC call. If the browser can’t tell whether you’re on a call or not, the connection will be terminated by default.

WebRTC Security With VOIP

Internet-based VOIP systems need to be able to ensure the privacy of users’ conversations and to stop potential eavesdropping into private conversations. In order to provide complete security, WebRTC-enabled VOIP systems make use of encrypted signalling channels using WebSockets protocol over a Transport Layer Security (TLS) secured connection.

This effective security feature works by creating a secure connection to an HTTP server, which is then verified against a trusted Certificate Authority (CA). Once the certificate has been verified, the user knows that the server is legitimate and there’s no risk of unauthorised access taking place.

What are your thoughts on WebRTC security? Do you have any comments you’d like to add to this post? We’d be keen to hear what you think.

You can read more about WebRTC on the Netscan blog.