DevStack, Voice
You control the display of the document; formatting words as bold or italic, adding images, and creating lists are just a few of the things we can do with Markdown. Mostly, Markdown is just regular text with a few non-alphabetic characters thrown in, like # or. You can use Markdown most places around GitHub: Gists; Comments in Issues and Pull Requests; Files with the.md or.markdown extension. Github issue markdown.
If you’re new to developing in WebRTC, you may have discovered that it can be a bit frustrating from time to time to figure out where your issue is. With the media flowing all around, you might not know exactly where you’ve hit a snag. In this blog post we’re going to cover a couple tools that will help you to more quickly diagnose the problem and get yourself back on track.
May 22, 2020 WebRTC stands for “Web Real-Time Communication”. This basically allows for voice, video chat, and P2P sharing within the browser (real-time communication) without adding extra browser extensions. What is a WebRTC leak? A WebRTC leak is when your external (public) IP address is exposed via your browser’s WebRTC functionality. Support for WebRTC was introduced to Microsoft Edge for Windows 10 in build 15019, which was released in January 2017. In that particular build WebRTC was enabled by default. Up to that point Microsoft Edge supported ORTC starting from EdgeHTML 13 for Windows 10 build 15011.
Now if you have a great JavaScript SDK then you don’t have to worry about much of this. With our WebRTC platform you can utilize our SDK and with a few lines of JavaScript you’ll be up and running. But sometimes you want to look under the covers or blaze your own trail—in those cases, you need the right tools at your disposal.
Edge://webrtc-logs: Lists of recently captured WebRTC text and event logs. For Debug The following pages are for debugging purposes only for simulating web page. While the WebRTC issue is often discussed with VPN services, this is, in fact, a vulnerability with web browsers. WebRTC leaks can affect these browsers: Chrome, Firefox, Safari, Opera, Brave, and Chromium-based browsers. So what is WebRTC? WebRTC stands for “Web Real-Time Communication”.
One of the things that you want to be able to keep an eye on is if media is flowing in both directions. You can shout “test, test, TEST” all day long, but if you didn’t add Participants into the session, the media will never show up—so let’s dive into the right way to resolve this issue.
WebRTC Internals
Modern browsers are extremely helpful here. We’ll specifically be looking at Chrome, but Firefox has tools here as well. WebRTC Internals is a tool within the guts of Chrome that shows us all the details of your WebRTC connections. Let’s start by opening it up! Head on over to chrome://webrtc-internals/ and let’s see what we get.
Oh, hmm, not that interesting. Well, that’s probably because nothing is using WebRTC in this browser. So after opening up one of my sample apps, we’re able to see some information in this viewer. Below we see that there has been a media request (getUserMedia()), but no RTCPeerConnections yet. Once we create an RTCPeerConnection, in this case by calling the connect() function in our JavaScript SDK, we’ll see this viewer really kick to life. One thing to note here is that WebRTC Internals should be open before you kick things off, they won’t catch things that have already happened or are already running.
Now there is an RTCPeerConnection to localhost, having clicked on that we see a number of interesting options. We’ll leave exploration of all of those fields to another blog, for now, let’s focus on the RTCOutboundRTPAudioStream_* area. When we expand that, we see that we have media flowing outbound, as you’ll see near the end of the clip below.
We’ll also note that the Stats graphs for RTCInboundRTPAudioStream_* shows nothing (though we’ll see more on why in a moment), but the lack of any Inbound data packets tells us we have one-way media flowing.
Once we initiate the other leg, in this case by creating an outbound PSTN phone call and transferring it into our WebRTC session, we will see that an additional RTCPeerConnection shows up—this is easier to see in the final video below. This RTC Peer has a section “Stats graphs for RTCInboundRTPAudioStream_*” where we see some real action!
You’ll note that we’ll never actually see inbound media show up in the original WebRTC section, it is only for the outbound stream. If you scroll through these sections you’ll see quite a few different metrics on packet loss, jitter, buffer usage, etc—these can be helpful in debugging quality issues, should you have those crop up. But for now, we’ve used this to help us determine that media is flowing. Here we can see the whole chain of events unfold from the perspective of WebRTC Internals. This blog just scratched the surface of WebRTC Internals. If you want to learn more, the great folks at testRTC have a few articles that help you to dig deeper.
WebSocket traffic in the inspector
WebSockets are often used for signaling to help establish the WebRTC session before you can send or receive media. If you aren’t getting media, then you may need to investigate that initial negotiation. This is where the websocket inspector can come in handy.
Once you’ve gone far enough with your SDK to initiate that connection you can leverage the built-in inspector to see the conversation taking place. Again we’ll look at Chrome to see how this plays out.
Most web developers will be familiar with this screen, but if you haven’t used it before, you’ll just need to go to View>Developer>Inspect Web Elements. We’ll be visiting the Network tab within the inspector interface. As for webrtc-internals, this should be open before you initiate the requests otherwise they won’t show here.Once we kick off the Javascript call that establishes the websocket and starts the negotiations, in this case connect(), we’ll be able to look at what is passed back and forth. In this video, you can see that by clicking on the entry ?token=… the websocket conversation is revealed. And by clicking on any of the individual messages, we can see all the content that is passed back and forth.
It’s good to look for error messages, like for example if you didn’t grant the proper permissions. You can check that your auth information has been sent properly as well. And lastly we have the SDP negotiation line items—which can be helpful if you set any constraints.
Now that you know it’s here, you can dig in and have a better understanding of how your session is getting established.
Learn more
Want to learn more about Bandwidth's WebRTC solution? Visit our WebTRC page or get in touch with a member of our team to learn more.
November 5, 2020The good news is that WebRTC is very secure. The bad news is that no system is without flaws and WebRTC security is complicated. In this post, I will discuss how WebRTC approaches security, identify some known weak areas, and discuss how WebRTC is continuing to improve its security.
Multiple Security Approaches
WebRTC is a complex, layered protocol that exists in a complex layered ecosystem of application code, browsers, native devices, and infrastructure elements. WebRTC approaches security from several different angles. First, it is secured at the protocol level. Second, using the browser as a reference, it requires a protected and private execution environment. Third, it follows best security practices by engaging its community of developers.
Protocol Layer — Mandatory Encryption Specifications
Mandatory Media Encryption
Unlike other VoIP and video conferencing technologies, encryption is mandated in WebRTC. To send video, voice, or data between two peers in WebRTC, the information must be encrypted with Secure Real Time Protocol (SRTP). SRTP encrypts the session, so no one can decode the message without the proper encryption keys. In fact, the unencrypted version of RTP is explicitly forbidden by the IETF specifications that define WebRTC.
Mandatory Secure Encryption Key Exchange
In addition, the WebRTC specifications mandate secure setup of the encryption channel to make it difficult to obtain the encryption keys. Locking your house doesn’t do much good if it is easy to find the key under your doormat. Many key exchange mechanisms such as SDES, MIKEY, and ZRTP may be used to set up this encrypted channel. Systems like SDES and MIKEY leverage the signaling channel to transmit this key data. This means if the signaling channel is compromised, the data could be unencrypted by a third party. To prevent this possibility, the WebRTC specifications mandate the use of DTLS-SRTP where keys are exchanged directly between peers on the media plane. Despite the fact that SDES is still widely used in many VoIP systems, it is specifically barred from use in WebRTC because it is not secure enough.
Secure Signaling
Lastly, WebRTC requires a secure connection between the web server that handles signaling and the peer client. This helps to keep the information in that signaling channel secure and makes it more difficult for an attacker to act as a man-in-the-middle and quietly take over the session. Signaling is secured using the HTTPS protocol — the same one most websites now use.
WebRTC security points in a peer-to-peer architecture providing end-to-end encryption
In live streaming environments, the server acts as both a signaling server and WebRTC media peer, but the same secure interfaces are used.
WebRTC security points in a live streaming architecture like Wowza Streaming Engine
WebRTC Is Secured by the Browser
WebRTC is further secured by operating in a browser sandbox. Web browsers are the most commonly used applications and have developed sophisticated security and privacy features. These features help to isolate web applications, keep sensitive user information like credit cards secure, and project hijacking of the browser to launch attacks.
Browser Security and Privacy Protections
Browser vendors are subject to strict security standards as defined by the W3C and underlying Internet specifications, like those for the WebRTC protocol. This is one top of security mechanisms at the Operating System level like limiting which applications can use the camera. Competition among major browsers like Chrome, Firefox, Edge, and Safari among others has also made them very sensitive to their users security and privacy needs in general, and particularly for WebRTC. Specific examples of WebRTC security and privacy controls include:
- HTTPS: Use of HTTPS is required to access WebRTC features (with some small exceptions for development)
- Media access permissions: Users must explicitly grant permissions to individual sites before accessing camera, microphone, or screen sharing video
- Visual usage indicators: Prominent indicators must show when your camera, microphone, and screen sharing is being used.
- Anonymizing device information: Device information remains hidden until the user has given some permissions for the site.
- IP leakage protections: Limitations and options on sharing IP address information help avoid privacy and tracking issues.
Webrtc Edge Plugin
Implementation of these features does vary, but most are similar across major browsers.
Mobile OSs Have Similar Controls
Many native mobile applications also incorporate an embedded browser framework to utilize some or all of these features. Even if not using an embedded browser, major mobile operating systems like Android and iOS implement similar controls and have additional security and privacy checks through their app store submission procedures.
WebRTC Is Secured by the Community
There are 2 main philosophies to security:
- Security by obscurity: Keep the mechanisms of your system secret to make it harder to discover and compromise.
- Security by design: Make the mechanisms of your system open, invite others to try to break in, and improve the design through feedback.
Security researchers and organizations generally do not condone the first philosophy. For example, the National Institute of Standards and Technology (NIST)says “System security should not depend on the secrecy of the implementation or its components.” It is well known that secrecy never lasts forever, especially in the face of motivated adversaries.
WebRTC subscribes to security by design philosophy. Communications across browsers and devices over the Internet requires open standards, so WebRTC has little choice at the protocol level. However, for security by design to work, it needs to have broad scrutiny. The browsers that run WebRTC are all open source (e.g., WebKit for Safari, Chromium for Chrome & Edge, Gecko for Firefox, etc.) and thoroughly tested. The core WebRTC project is also open source and accompanied by dozens of different implementations actively supported by thousands of developers who are constantly reviewing and improving WebRTC in all aspects, including security.
Security Depends on the Service
WebRTC mandates encryption at the protocol level. It is subject to rigorous privacy and security controls when run inside a browser environment, but what about services that don’t use the browser? While WebRTC is primarily designed for browser-to-browser communication, many different infrastructure devices are commonly used in WebRTC services.
The table below summarizes common types of WebRTC server infrastructure and high-level security implications:
Inherent Internet Security Issues
Signaling services are essentially web application servers and need to be secured like any application. Users should be weary of who they are connecting too. Fortunately, browser and app store safeguards minimize bad providers – but bad users are another problem. “Zoom bombing” is an example where someone obtains video conferencing meeting information to join and disrupt the meeting. WebRTC service providers can prevent this by giving their users authentication mechanisms that restrict entry to authorized users and leverage moderation controls to remove and block bad actors quickly. For example, Wowza has APIs that control WebRTC stream access and duration.
Media Server Risks
While other servers like STUN and TURN are sometimes needed, these never gain access to unencrypted media, and thus don’t present much of a risk. Other servers, particularly media servers like Selective Forwarding Units (SFUs) that enable multi-party video conference calls or live streaming servers, introduce more difficult risks. These servers decrypt the media before restransmitting it with new encryption keys. Oftentimes this decryption cannot be avoided. If the media server needs to manipulate the media then it must perform decryption to access that media. For example, in live streaming networks, the media server needs to decrypt the media to resize, recompose, and convert the format for use by a Content Delivery Network (CDN).
If these servers are compromised, then the user media streams could be at risk. It is important that media server operators follow best security practices when deploying their infrastructure and managing people to prevent unauthorized access. Much like browsers do for end users, these servers should avoid unintentional caching of sensitive unencrypted data. Sensitive information should never be at rest where an attacker could access it. The servers should also isolate the media streams internally from from other processes that could nefariously access it.
The level of security will also need to vary based on the application. For example, recordings may be needed for archiving and intentional redistribution. In that case the stream will certainly need to be saved to disk and made available, but that should be done in a controller, secure manner.
Is WebRTC Secure Enough?
No software system is perfectly secure, and WebRTC is no exception. For example, a Google Project Zero security researcher recently published a major exploit that worked on 7 out 14 of the most popular Android WebRTC applications. One one hand, it is very bad that such a serious issue could have made its way into applications used on billions of devices. On the other hand, the fact that there is deep security vulnerability research done in the public domain and that all but one of these applications rapidly fixed their issues is encouraging.
Like most software, there are a few general rules WebRTC developers can follow to minimize their attack surface for vulnerabilities:
- Keep core WebRTC libraries up to date. Old code generally has more vulnerabilities.
- Pay attention to bugs and security notices. Major WebRTC projects and browsers are generally very proactive in their notifications (if you know where to look).
- Turn off pieces of code you don’t use. WebRTC is a large and comprehensive system that many apps only need a part off; minimize the attack surface.
- Test and conduct RTC-specific security research. If you don’t find your issues, someone else will eventually.
- Secure your infrastructure – WebRTC may be secure, but if your web or media servers are insecure it could compromise the system. For example, features like Wowza’s publication authentication features to limit the attack opportunity for stream hijacking.
WebRTC is used every day by billions of people. Its security is certainly not perfect, but it provides the most secure approach by mandating security at a low level, working with an established security sandbox in many cases (the browser), and encouraging review by a large and very active community.
Additional Resources:
Webrtc Edge Support
About Chad Hart