How secure is webrtc for video conferencing?

Communication, especially via video, requires a high level of trust in this day and age. It doesn’t matter anymore if it’s just for private or business conversations, especially when there are more and more problems reported in the media. But how secure is WebRTC as a technology? Can you really trust it??

When you look at trade magazines, watch the news or talk to experts, you quickly get the impression that it is better not to trust technology and advertising promises. However, videoconferencing is becoming an increasingly important part of the business world and is of crucial importance for companies in particular. Not only to save unnecessary travel, for the sake of the environment or because the Corona crisis has shown how important communication with other people is. It is a basic need and it is impossible to imagine our world without it.

When it comes to communication, the technology used is critical to the security of the entire system. Most manufacturers have their own procedures and technologies for this, where not only a lot of money is invested, but they are also the only ones watching over this technology. In today’s society and the ever-increasing demands for compatibility, security and trust, this approach is counterproductive and increasingly no longer an option for companies using these technologies. The flip side, however, is that more and more people are following this call and WebRTC has established itself as the standard and consequence of this.

What is WebRTC anyway?

WebRTC (Web Real-Time Communication) is an open standard that is used by large companies like e.g. Google, Mozilla or Microsoft and is part of every modern browser. This allows browsers such as Chrome or Firefox to communicate and exchange data directly and in real time with other participants, without the need for a “middleman” required. The software vendor that provides the client basically just controls the browser, so there’s no need for custom software or plug-ins to be installed. Also, the standard and code is publicly viewable and can be reviewed and tracked by all.

No more plugins

One of the main advantages is that WebRTC sessions do not require any plug-ins before starting a video conference and are therefore immediately ready for use. This also prevents malicious code from getting onto the computer, reduces the amount of administration required, and there is no need to trust the software manufacturer with your program, as it is not present. Without WebRTC, a program (usually a plugin) must be installed on the computer. This increases the risk from malicious software, buggy code and the establishment of potential vulnerabilities; even reputable vendors. This risk has thus been eliminated with WebRTC as a basic technology and is one of the key principles of web technologies.

Fast security updates

The major providers take the issue of security very seriously and react extremely quickly to security problems or emerging ways to undermine security. With WebRTC, you automatically benefit from this by updating your browser and you are a bit less dependent on the software provider, especially if the latter reacts only slowly or not at all to current problems. They achieve this not only through their vast resources, but also through bug bounty programs, an open community, and the participation of many people. Thus, users of these systems can be sure that the problems will be fixed expediently and automatically. This cannot be economically guaranteed by closed or less widespread systems to this extent.

Automatic software updates

Standards continue to evolve and browsers provide automatic updates. This way, not only can potential security threats be fixed, but you can also benefit from new features and create further independence from the software vendor. It is inherently unreliable to rely on employees to regularly update their programs and keep up with everything. While some are diligent others ignore, delay or forget, which can put the business at risk. WebRTC benefits from this in that it is less dependent on updates than normal systems.

Access to media

Everyone has seen webcams “hijacked” at least once were used to record, listen to and spy on private conversations without answering a call.

However, the WebRTC specifications and browser vendor implementation are taking active steps to ensure that issues like FaceTime recently did not occur. This is achieved, among other things, through a multi-level principle where arbitrary access to the camera or microphone is not possible without the user’s consent. While the vendor’s WebRTC software may ask for one-time or permanent access, it can’t get access without this explicit permission. This consent is not coupled to the software, but to the browser and is more than clearly visualized. Before that, no access can take place and no media data is transferred either. In addition, when using a device, WebRTC requires that the browser user interface clearly indicate when a microphone or camera is being used, so you can be sure there is no risk of possible eavesdropping.

Encryption

Encryption is an essential part of WebRTC and is enforced in all aspects of the connection. It thus makes it virtually impossible for anyone to gain access to the content, as all media streams are already securely encrypted in the browser through standard and proven encryption protocols. The best practice for this is to use PFS (Perfect Forward Secrecy) ciphers in a DTLS (Datagram Transport Layer Security) handshake to securely exchange key data (this is the method Frozen Mountain uses). For audio and video, key data can then be used to generate AES (Advanced Encryption Standard) keys, which in turn are used by SRTP (Secure Real-Time Transport Protocol) to encrypt and decrypt the media. This acronym-rich stack of technologies results in extremely secure connections that are impossible to break with current technology. Both WebRTC and ORTC mandate this particular stack, which is backward compatible and interoperable with VoIP systems.

HTTPS as a basic requirement

WebRTC has as one of the few technologies the requirement that access and data exchange can only take place when going through an HTTPS (Hypertext Transfer Protocol Secure) connection. This means for the user that a connection can only be established if the server from which the communication was made must also be secure, thus forcing the software manufacturer to use secure procedures.

Conclusion

WebRTC’s independence puts it in a much stronger position when it comes to secure communications and protecting the user from unauthorized device access. It forces browser manufacturers to implement this and pass the constraint on to software vendors. This not only significantly strengthens security, as opposed to proprietary technologies, but also means that you no longer have to trust the manufacturer as much, since compliance with minimum standards means that their applications are only then executable. Relative independence from updates is also one of the key strengths that not only supports software vendors, but also forces them to comply with current standards and implement the required security requirements time and again. If software manufacturers do not adhere to these specifications, the chain will prevent the program from starting in the first place and the user will be optimally protected.

As a preview of the next few years, we can still expect a lot from the WebRTC standard, as not all features have been implemented yet and security is constantly improving with each release. The potential is at least there and is already a significant advantage.