I am in the process if adding WebRTC capabilities to my PassLok privacy app. In its current incarnation, PassLok's public key functions are used to generate an encrypted "chat invite" that only the intended recipients would be able to decrypt. Once decrypted, the invite contains the URL of a simple WebRTC webpage (based on Muaz Khan's demos on Github), including a 256-bit token generated by a cryptographically secure RNG. Users then start or join a WebRTC session, with signaling facilitated by Firebase and XirSys, with no further involvement of PassLok other than providing an iframe for the WebRTC to run.
But I have some doubts about the security of this scheme: 1. In order to find each other, participants contact Firebase.io so their external IP numbers can be relayed back to them. There is also a connection via XirSys with pretty much the same goal. I don't understand WebRTC (or Muaz Khan's implementation of it) to understand precisely what is sent back and forth, but it seems that the connection with these servers is only needed in order to get around firewalls, and after the connection is established they are out of the loop. Still, it bothers me that any kind of servers must be involved to initiate each connection, since they might leak some information about the clients that might enable malicious listeners to obtain credentials that would enable them to establish unwanted connections. 2. Once a connection starts, it seems that the browser (Firefox, Chrome, Opera) deals with it very much as if a TLS connection had been established with a server, except that it is between clients. I wonder if this kind of connection can be trusted to be secure enough, though. 3. A third worry is about the scheme I'm using to ensure that the chatroom is indeed private, which is to add a random token to the chat URL itself. That URL is never displayed in my program, but I am wondering if it needs to be relayed to the signaling server in order to establish a WebRTC connection, in which case it might be compromised. Any help will be appreciated. Thanks! -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL20ezLok=1y2z7_6qg8r_wqv3n_7886/_tj4i1_11i3w_x92wj_2p6e1_co32z_uxz0t_qLrqh_fgz++_2km/d_k6bg/_2t3q9_75xjj_w581g_bfpzx_bjxde_jnd0j=PL20ezLok https://www.youtube.com/watch?v=YnPCfP7uPpw <https://www.youtube.com> get the PassLok privacy app at: https://passlok.com <http://passlok.com>
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
