A Glance Into WebRTC Technology From a Security POV

Real-Time Communications (RTC), is the most important paradigm shift in the use of personal and business communication. Today, all internet communications are being conducted at real-life speed, be it business or personal communication. Integrated methods of RTC are embedded in applications for cross-business and interpersonal exchange of data and information. 

Here are some applications that leverage WebRTC technology to deliver some awesome user functionality: Whatsapp, Facebook, Google Hangout, Google Meet, Google Duo, Discord.

Conferencing, be it audio or video, is a valuable and important part of doing business. It is hard for organizations to function without the right conferencing tools at their disposal. At the same time, it is even harder to trust real-time communication technology with confidential business information and sensitive conversations. Especially when incidents of security breaches are so common. For instance, the recent FaceTime bug which showed how conferencing apps can be compromised. Although the FaceTime group disabled the bug and the fix was quickly released,  it does raise questions about the security of RTC applications.

The need for private data or information to remain private is a topic that is always up for debate. But, businesses and individuals are entitled to privacy. When it comes to communications security, WebRTC is the technology to bank on. If you have an application built using WebRTC technology, you can be confident that user conversations and information are not vulnerable. 

Let’s explore how secure is WebRTC technology

There is an inherent risk of PC or software getting infected by a virus, malware, spyware, or other ‘bugs’ that threaten the security of data. The principal solution applied by many to combat viruses is to install anti-malware software to protect computers against potential threats. 

With WebRTC, however, there’s nothing to worry about external viruses, for WebRTC works from browser to browser. No software or plugins is needed to set up a video conference or VOIP call. All the needed security is already contained within the browser and the WebRTC platform.

In-built security features of a WebRTC System

Peer-to-Peer Encryption

Security and encryption is not an optional WebRTC feature, rather an in-built one. Regardless of the server or browser in use, the WebRTC solutions offer end-to-end encryption between peers on almost all servers. WebRTC’s advanced end-to-end encryption features ensure safe, private, and secure real-time communications.

Datagram Transport Layer Security (DTLS)

The data transferred through WebRTC technology solutions are encrypted using the Datagram Transport Layer Security. This encryption is built-in in web browsers like Firefox, Chrome, Opera thus chances of data manipulation are eliminated.

Secure Real-Time Protocol (SRTP)

In addition to DTLS encryption, WebRTC solutions also encrypt data through Secure Real-Time Protocol. SRTP safeguards IP communications from hackers, so the user’s video and audio data are kept private. User’s voice and video traffic can not be heard or seen by unauthorized parties.

Camera and Microphone Security

Unlike most video/audio conference software, WebRTC solutions ask permission for accessing the user’s microphone and camera before communications begin. This is to ensure that the user is aware of the camera and microphone switching on. Besides, when the access is granted and media is in use, a red dot appears on the tab, providing a clear indication to the user that the tab has media access. Before using WebRTC, users are notified that a specific website is trying to access their camera and microphone.

Interactive Connectivity Establishment (ICE) 

ICE is a framework that enables web browsers to connect with peers. A straight up connection from Peer A to Peer B won’t work. It needs to bypass firewalls that would prevent opening connections, giving users a unique address. ICE is the IP address discovery process. 

WebRTC applications collect ICE candidates as a part of the process of connecting with other clients, using STUN/TURN servers. The web app will contact its configured STUN and TURN servers and ask them for IP addresses. Those addresses will then be used for establishing a connection. UDP packets contain application data between clients through the TURN server. Using a TURN relay will not weaken WebRTC security if DTLS is implemented and used properly. 

Be it downloading a VoIP application like Skype or a movie, or even transferring files via email, there is always a risk of malicious intrusions. But, WebRTC technology safeguards the transmission of data through the standards discussed above.

How security for WebRTC is ensured  

Unlike most real-time systems, WebRTC solutions are directly controlled by a Web server over some signaling protocols like XMPP, WebSockets,, Ajax, etc. This poses some challenges like:

  • The browser might expose JavaScript APIs allowing web servers to place automatic calls.
  • Web pages may secretly record and stream the media activity from the user’s computer
  • Malicious web pages can trap users via advertising and activate auto calling services.
  • JavaScript calling APIs are implemented as browser built-ins and unauthorized access to these can leave user’s audio and camera streams vulnerable.

The way out of these is simple — identify and resolve security issues at the development phase only, saving the service provider’s time, money, and reputation. 

Areas that can’t be neglected and needs to be covered to ‘secure’ an application (especially the one having large architecture) are —

  • Proper bug-free code.
  • Correctly implemented protocol.
  • No Operating system bugs.
  • Protection against social engineering and phishing attacks. 

Security is a broad subject and WebRTC application developers look after many sections of WebRTC security. A reliable and technologically sound development team can make the best and the safest RTC solutions using WebRTC technology.

About RTCWeb

If you have an idea for an RTC project, get your RTC application off the ground fast with RTCWeb. Get in touch with expert developers of RTCWeb for advice on how to put your idea into motion. RTCWeb develops cost-effective, feature-rich, and scalable communication/streaming solutions using WebRTC technology. 

You can leverage our ready-to-go RTC framework to capitalize on highly scalable conferencing apps. RTCWeb applications come with an easy-to-use, fully documented API to enable enterprise-grade conferencing.