WebRTC for the Security Conscious Enterprise
Guest Blog by Tsahi Levent-Levi, Author of BlogGeek.me
WebRTC is a rather new technology. It enables people to communicate directly from the browser with no download or installation needed – that includes both voice and video calls.
A client of mine was negotiating a deal with a large enterprise. They wanted to deploy a WebRTC based service. The challenge occurred when into the meeting storms an IT specialist on the enterprise side, saying something along the lines of “I’ve heard WebRTC isn’t secure”. My client wasn’t prepared for this and that part of the meeting turned out to become an issue that needed to be answered for.
Since then, we’ve brainstormed on ways to unravel this, making sure to work out the details of the signalling they use (that part is up for the developers using WebRTC to secure). What we’ve settled for is this list of reasons why WebRTC is a secure solution for enterprise deployments:
1. WebRTC is secure by design
WebRTC is the only VoIP standard that I know that by default encrypts all communications.
In all standards that came before it, security as in authentication and encryption took second place. They were optional at best, and oftentimes disabled in production.
With WebRTC this just can’t happen, simply because all sessions start encrypted and stay that way for as long as your communication lasts.
This focus on privacy isn’t just a part of the specification, but also a process when it comes to WebRTC, which leads me to the next reason –
2. Security issues that get raised get solved
WebRTC is incorporated into browsers. Browsers are meant to be secure as a lot of our daily office lives occur in front of them. To that end, all browsers have short release schedules that span from several weeks to a few months, where in between security patches are deployed if and when needed. Browsers also automatically update unless configured otherwise. New browser releases are picked up and adopted in a matter of days.
There are two areas that shows this attention to security – the IP leak issue and fuzzing.
IP leak: For a few years now there have been complaints about WebRTC sharing local IP addresses in its negotiation, which is something all VoIP products do simply to get their sessions connected. With WebRTC this is somewhat tricky, as that information gets passed through the browser giving access to the application and any loaded extensions as part of the process. A solution to that is currently being experimented with where local IP addresses are replaced by mDNS addresses. The process itself is far from being perfect, but it is being addressed and taken care of at the specification and implementation level of WebRTC.
Fuzzing: Google has something called Project Zero, where they put developers to work on finding zero day vulnerabilities in different products. Their recent foray got them to publicise some iOS issues. For video conferencing, they went ahead and tried using a technique called fuzzing to crash and burn different apps. In the process, they found and filed several bugs against WebRTC (which were later fixed).
WebRTC is taking security issues seriously. Probably more so than most other vendors.
3. Proprietary solutions have their own unknown threats
When using proprietary solutions, you are at the mercy of the developers of that solution. More so than with open standards where you know many of the threats already.
WebRTC opened up the ability to use browsers and reduce friction in communications, moving a lot of the security headaches from vendors to browser vendors. Vendors who aren’t using WebRTC? Their solutions may be introducing some interesting security challenges.
Zoom, who is most known in the simplicity of their service and the fact that it just works, were recently found to have a serious security issue.
Proprietary solutions may be secure, but you have no way of controlling or knowing that besides relying on the vendor who is telling you that.
4. Everybody’s using WebRTC
Let’s start from Gartner’s UCaaS magic quadrant for 2019:
- Google Meet, Hangouts, Duo and Voice all use WebRTC
- Microsoft Teams uses WebRTC
- RingCentral uses WebRTC in their voice offering
- 8×8 use WebRTC. They acquired Jitsi from Atlassian, a popular open source video service. 8×8 Meetings is already using Jitsi (=WebRTC)
- Cisco use WebRTC in Webex
- Fuze makes use of WebRTC
- Dialpad uses WebRTC
- LogMeIn uses WebRTC
- ALE uses WebRTC
- Mitel, StarBlue and Windstream are the only unknowns to me about WebRTC use
Enterprises are quite comfortable with deploying WebRTC based services. This is true in all industries, including highly regulated ones such as finance and healthcare.
And even Zoom, who are going out of their way not to use WebRTC, are now using the data channel in WebRTC when you use Zoom in a browser.
Is WebRTC secure?
The next time a potential enterprise customer tells you that WebRTC isn’t secure, just print this out for him and tell him to read it. WebRTC is a solution that fits nicely into unified communications, contact centres and frankly – any system where users need to be communicated with via voice or video.
Guest Blog by Tsahi Levent-Levi, Author of BlogGeek.me
Tsahi has been working in the software communications space as an engineer, manager, marketer and CTO for the last two decades. In his various roles he meets and helps vendors with their communication projects, especially when these relate to WebRTC, CPaaS and AI. Tsahi Levent-Levi is also CEO & Co-founder at testRTC. Need to improve the stability of your service? Make it robust? Understand how it operates? testRTC can help you with that. Be it scaling your testing to 100’s or 1,000’s of concurrent browsers, collect objective metrics from your manual testing or monitoring end-to-end the health state of your service. Implementing testRTC does not require any integration or changes to your service or software.