Hi Lucas, I tried to set up a secure WebRTC server about one month ago using Kamailio with the Mediaproxy-ng to bridge text, audio, and video with appropriate ciphers which provided random public keys per session. The main security problem I found was with WebRTC's reliance on PKI to secure the media stream and SIP signaling. The second problem is WebRTC clients do not authenticate users (all authentication responsibility was delegated to my server) I think the fix for both of these problems would be to add ZRTP support to Chrome and/or Firefox and secure the media stream without PKI. A https://github.com/wernerd/ZRTPCPP
and can intercept audio from the WebRTC client (chrome or firefox) and the SIP Server. On 01/21/2014 08:01 PM, Lucas Dixon wrote: > On Sun, Jan 19, 2014 at 7:23 AM, carlo von lynX > <[email protected] <mailto:[email protected]>> wrote: > > > > The highest level of "this feature" would be if this "Mock JS" > could have > > full WebRTC functionality ;) > > Dunno, WebRTC is so prone to MITM. > I'd rather have something secure. > > > What kind of MITM attack are you thinking of? WebRTC doesn't specify a > key authentication protocol, so not sure WebRTC is anything specific > enough to say it not secure. WebRTC is compatible with ZRTP > key-authentication which builds in a video-based auth scheme and > should stop MITM attacks (last time I checked). You could also use > some other form of key-auth with WebRTC, e.g. swap key-hashes in person. > > -- > Lucas Dixon | Google Ideas > > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
