Essential Guide

Understand WebRTC basics to maximize deployment and adoption

A comprehensive collection of articles, videos and more, hand-picked by our editors
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

WebRTC security concerns shouldn't deter enterprises

Native media encryption and regular Web browser updates mitigate WebRTC security threats. Authorization and fraud-prevention mechanisms can help, too.

Somehow, enterprises believe WebRTC is less secure than legacy video conferencing technologies. That belief couldn't...

be further from the truth.

WebRTC is a modern media engine, designed to fit the needs of our current day and age. As such, it takes security seriously -- much more so than many of its predecessors. This seriousness is at the heart of two important characteristics of WebRTC security:

  1. Encryption : WebRTC always encrypts its media. There is no option of sending media in the clear. As opposed to other protocols, where encryption and security are optional, WebRTC assumes security and privacy are a top priority and mandates them.
  2. Handling breaches: WebRTC is an integral part of the Web browser. As such, it adheres to the current six- to eight-week cycle of upgrades that most browsers today undergo. This makes known threats and attack vectors on the WebRTC implementation itself short-lived.
WebRTC's approach to encryption and reliance on the browser as a delivery mechanism make for a powerful security proposition.

Compare these security features to the current world of video conferencing, where encryption is not mandated and often disabled in deployments, and a security threat could take months to patch at an enterprise's on-premises deployment. WebRTC's approach to encryption and reliance on the browser as a delivery mechanism make for a powerful security proposition.

But in recent years, many WebRTC security concerns have been raised. For instance, a malicious Web page could access a computer's microphone and camera and spy on the user; a man-in-the-middle attack could tap into your calls; leakage of local IP addresses; screensharing capabilities could be used to spy on you; traditional VoIP attacks and fraud scams.

While none of these should be taken lightly, most of these issues relate to one of two categories:

  1. A naive implementation on top of WebRTC has weak security measures.
  2. The attack relies on user behavior and exists without resorting to WebRTC, so no new weakness is actually added.

Should you bar WebRTC in your organization?

One mitigation strategy of WebRTC security threats would be to deny WebRTC communication altogether. This can be achieved by enforcing browsers to disable support for WebRTC or via the corporate firewall.

There are several problems with such an approach. Barring WebRTC to operate may actually interfere with business meetings conducted by employees. As unified communications vendors shift toward introducing WebRTC-based services, there is a higher potential of such meetings needing to occur across companies. Some of the recent announcements include Skype for Web, Polycom's RealPresence platform, Citrix GoToMeeting, LogMeIn's join.me, Lifesize Cloud, Cisco Spark and Unify's Circuit -- all of which support WebRTC.

Additionally, with the BYOD trend along with Wi-Fi access, employees can still use WebRTC-based services for their work needs, making the whole idea of achieving security by barring services moot.

Lastly, many of the threats that are associated with WebRTC exist with browser plug-ins and downloadable apps that employees use to communicate with peers in other enterprises. Oftentimes, use of these services is allowed, or even ignored by IT, which makes you question the actual level of perceived threat anyway.

A better approach would be to accept the need and the threats that WebRTC poses and accommodate and address them with policies and workforce education.

So, should you adopt WebRTC for your corporate communications? Definitely.

WebRTC brings with it flexibility and agility in ways that are impossible to achieve with any other technology today. WebRTC can reduce an enterprise's communications costs, as well as improve its workforce efficiency.

It is important to remember that WebRTC is just one piece of the technology stack of a communications service. Without properly architecting the security of the service, the security that WebRTC offers will be useless.

If you plan on adopting a WebRTC-based service, make sure the vendor you select has made the necessary security measures to develop it. And ensure these things are included: encrypted signaling by using HTTPS, as opposed to HTTP, connections; authorization mechanisms and user identity to allow access only to permitted users and through predefined policies; and fraud and distributed denial of service prevention mechanisms to protect your communications infrastructure from malicious attackers.

Next Steps

Why should you enhance WebRTC security?

WebRTC applications could expose enterprises to new vulnerabilities.

The need for WebRTC gateways is clear.

This was last published in July 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Understand WebRTC basics to maximize deployment and adoption

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What are your WebRTC security concerns?
Cancel
You may be of the opinion that total ban of WebRTC may not be the correct solution. But routinely enterprises ban UDP traffic and route approved VoIP traffic thru the corporate TURN server. In an earlier exchange you had dismissed this point with the same points you mention here. But it is interesting that the standards group is finally recognizing this concern and are exploring ReTURN. This will also address fiduciary and statutory requirements to record external communications, especially for legal and financial market segments.
Cancel
Aswath,

I understand your concerns, but I think most enterprises simply neglect the fact that their employees continue using the services they try to ban - they do it from their handsets using cellular network or from home instead of the local enterprise network.

There is also the nagging issue of conducting these business calls in collaboration tools not provided by your company. You will use WebEx if that's what a customer wants to use instead of your company's tool of choice.

Banning can't be the answer.

As for ReTURN - I'd say it is now being addressed simply because there was too much on the plate of WebRTC standardization to get all the basics going and opening the technology up enough. Now it is time to expand to areas where there are still issues.

That said, an enterprise can decide to deploy WebRTC on-premise if it so wishes, and by that, all concerns raised above become irrelevant, as the solution is on par (and even better) than any legacy/existing on premise communication technology available.
Cancel
I have found that rather than "banning" a specific service via policy or telling people what they can or cannot do, it's best to use technology to block/prevented in the first place.

I think organizations/people who spend time worrying about security concerns associated with technologies such as WebRTC might be better served fixing their existing security problems for now.
Cancel
Totally agree with you Tsahi. But for exmaple if you used Matrix.org for WebRTC needs (and you easiliy could becuase its fully interoperable) you wouldn't have these security concerns because its fully secure with the new end to end encryption update.
Cancel

-ADS BY GOOGLE

SearchCRM

SearchNetworking

SearchSDN

SearchTelecom

SearchITChannel

Close