Blog

WebRTC – End-to-End Encryption Demystified

Increased and optimal adoption of the cloud has made the deployment of conferencing solutions very easy. Cloud adoption is on the rise due to the reduced workload and expenses. With the Cloud, there is no need to deal with physical machines, virtual machines, and operating systems. These factors have encouraged the wide adoption of  Web Real-Time Communication (WebRTC) protocol by all major browser vendors. Cloud technology has been the driving force behind the success of real-time communication technology. 

Having said that, there exist security concerns with hi-tech cloud technology. Data flows through third-party tools. This creates a possibility that it is unencrypted and not secure.

WebRTC is encrypted but the encryption only applies to the wire. Content is safe on wired peer-to-peer connections. Services needing intermediate (media) servers for scaling and distribution leave information openly exposed on the server. In that case, access to the media server would mean access to data, information (your audios, videos, and chats). This is how the confidential information exchanged between two parties is compromised, which is against regulations in Banks, MPAA, HIPAA, Telco operators, and similar sectors.

So, what has been done for that? Well, a lot!

The year 2016-2017 saw a bunch of the world’s top web engineers and scientists (Privacy Enhanced RTP Conferencing (PERC) group working at the Internet Engineering Task Force (IETF)) coming up with solutions to achieve true end-to-end encryption. A solution that secures the media/ information even in the third-party Media Server.

Multiple Security Approaches

WebRTC has a complex and layered ecosystem of application codec, browsers, native devices, and infrastructure. It accosts security from different angles, for instance – ‘security at the protocol level’ and ‘using the browser as a reference’.

• Mandatory Media Encryption

Unlike other video conferencing and VoIP technologies, encryption is mandated in WebRTC technology. Data exchanged via WebRTC powered application is encrypted with SRTP (Secure Real-Time Protocol). SRTP encrypts the session. Without the proper encryption keys, the message cannot be decoded. As a matter of fact, the unencrypted version of RTP is forbidden by the IETF (specifications that define WebRTC). 

• Mandatory Secure Encryption Key Exchange

The WebRTC specifications mandate the secure encryption setup. It is tough to get the encryption keys. SDES, MIKEY, and ZRTP are key exchange mechanisms that are used to set up the encrypted channels. SDES and MIKEY systems transmit the key data, leveraging the signaling channel. The WebRTC specifies the use of SRTP-DTLS. The keys are exchanged on the media plane between peers. 

• Secure Signaling

At last, WebRTC needs a secure connection between the web server and the signaling server. This keeps the information in that signaling channel, making it more difficult for an attacker to take over the session. Signaling is secured by the HTTPS protocol.

The Future of End-to-End Encryption

The major online services and other institutes are securing their web traffic and the overall percentage of encrypted web traffic is increasing by the day. The continued adoption of End-to-End encryption will need consistent backing directed at the web ecosystem. 

The growing ease of use and low cost of HTTPS deployment is helping in the spread of (End-to-End encryption) technology. There exist end-to-end encrypted messaging services where even the service provider can’t access the content. Such services are on the all-time rise.

In 2011, Apple integrated end-to-end encryption into its iMessage. Facebook followed quickly with Whatsapp incorporating the encryption technology. soon after, another messaging app, Signal, offered end-to-end messaging to its billion-plus users. Many other big brands got into the game gradually.

Within a few years, end-to-end encryption has gone from an arcane and unknown technology to one that is super-simple to use and is widely used, practically by all smartphone user.

The future of End-to-end Encryption is secure and bright. RTCWeb.in with its WebRTC expertise wishes to utilize end-to-end encryption technology for clients. At RTCWeb.in we are driving innovation with our WebRTC services, using advanced and upbeat technologies, including end-to-end encryption. 

To incorporate WebRTC technology and End-to-End Encryption into your business application, contact us now.