Somehow, enterprises believe WebRTC is less secure than legacy video conferencing technologies. That belief couldn't...
be further from the truth.
WebRTC is a modern media engine, designed to fit the needs of our current day and age. As such, it takes security seriously -- much more so than many of its predecessors. This seriousness is at the heart of two important characteristics of WebRTC security:
- Encryption : WebRTC always encrypts its media. There is no option of sending media in the clear. As opposed to other protocols, where encryption and security are optional, WebRTC assumes security and privacy are a top priority and mandates them.
- Handling breaches: WebRTC is an integral part of the Web browser. As such, it adheres to the current six- to eight-week cycle of upgrades that most browsers today undergo. This makes known threats and attack vectors on the WebRTC implementation itself short-lived.
Compare these security features to the current world of video conferencing, where encryption is not mandated and often disabled in deployments, and a security threat could take months to patch at an enterprise's on-premises deployment. WebRTC's approach to encryption and reliance on the browser as a delivery mechanism make for a powerful security proposition.
But in recent years, many WebRTC security concerns have been raised. For instance, a malicious Web page could access a computer's microphone and camera and spy on the user; a man-in-the-middle attack could tap into your calls; leakage of local IP addresses; screensharing capabilities could be used to spy on you; traditional VoIP attacks and fraud scams.
While none of these should be taken lightly, most of these issues relate to one of two categories:
- A naive implementation on top of WebRTC has weak security measures.
- The attack relies on user behavior and exists without resorting to WebRTC, so no new weakness is actually added.
Should you bar WebRTC in your organization?
One mitigation strategy of WebRTC security threats would be to deny WebRTC communication altogether. This can be achieved by enforcing browsers to disable support for WebRTC or via the corporate firewall.
There are several problems with such an approach. Barring WebRTC to operate may actually interfere with business meetings conducted by employees. As unified communications vendors shift toward introducing WebRTC-based services, there is a higher potential of such meetings needing to occur across companies. Some of the recent announcements include Skype for Web, Polycom's RealPresence platform, Citrix GoToMeeting, LogMeIn's join.me, Lifesize Cloud, Cisco Spark and Unify's Circuit -- all of which support WebRTC.
Additionally, with the BYOD trend along with Wi-Fi access, employees can still use WebRTC-based services for their work needs, making the whole idea of achieving security by barring services moot.
Lastly, many of the threats that are associated with WebRTC exist with browser plug-ins and downloadable apps that employees use to communicate with peers in other enterprises. Oftentimes, use of these services is allowed, or even ignored by IT, which makes you question the actual level of perceived threat anyway.
A better approach would be to accept the need and the threats that WebRTC poses and accommodate and address them with policies and workforce education.
So, should you adopt WebRTC for your corporate communications? Definitely.
WebRTC brings with it flexibility and agility in ways that are impossible to achieve with any other technology today. WebRTC can reduce an enterprise's communications costs, as well as improve its workforce efficiency.
It is important to remember that WebRTC is just one piece of the technology stack of a communications service. Without properly architecting the security of the service, the security that WebRTC offers will be useless.
If you plan on adopting a WebRTC-based service, make sure the vendor you select has made the necessary security measures to develop it. And ensure these things are included: encrypted signaling by using HTTPS, as opposed to HTTP, connections; authorization mechanisms and user identity to allow access only to permitted users and through predefined policies; and fraud and distributed denial of service prevention mechanisms to protect your communications infrastructure from malicious attackers.
Why should you enhance WebRTC security?
WebRTC applications could expose enterprises to new vulnerabilities.
The need for WebRTC gateways is clear.