H.323, SIP, XMPP are the most popular and widely known signaling protocols for VoIP and video conferencing. They all can be encrypted and made private per their specification, but none of them mandate encryption. They don’t mandate encryption for the signaling itself and certainly not for the media. This leaves the encryption decisions the people deploying them.
WebRTC is different in that regard. Encryption is built-in.
There are three things that make WebRTC such a great solution for the security conscious, and I’d like to point them here.
1. Usability and low friction
In some applications, activating encryption requires admins and hosts to specify certain settings. This adds unnecessary steps to account configuration and meeting scheduling.
By adopting a WebRTC-based service, attendees are no longer forced to download and install a third party application, admins are not forced to activate encryption at an account level and hosts don’t need to choose whether to have encryption active or not for their meetings.
WebRTC offers a low friction solution that addresses each of these scenarios without compromising security. How does this work? WebRTC is part of the HTML5 specification and is already part of modern browsers, such as Chrome and Microsoft Edge.
2. Open standard
Open standards are available for scrutiny and testing. The end result is a standard that is continuously analyzed and improved, with information made available to the public when issues are discovered.
WebRTC takes the open security approach by being a standard specification that makes use of other, previously popular and widely used open standard specifications such as TLS, DTLS and SRTP.
3. Secure by design
With WebRTC, security isn’t optional. It is there intentionally and purposefully.
Browsers are one of the most popular applications we run on our endpoints today. They undergo a great deal of scrutiny in the public domain, as do the open standards that they make use of.
To that end, WebRTC makes use of multiple security and privacy mechanisms. These include:
- Encrypting all traffic sent and received using WebRTC
- Forcing the application to host its web application over HTTPS
- Not exposing the encryption key to the Java Script layer of the application
- Requiring user consent to access their microphone, camera and screen
There is a lot more to WebRTC security if you are interested to dig deeper.
WebRTC goes a long way in securing the communications that make use of the protocol.
Where do we go from here?
The benefits of open standards are clear. That said, there’s more to security than just picking the right standard. When a vendor opts for WebRTC it doesn’t mean they can forget about security concerns. Vendors still need to work hard to maintain the security provided by WebRTC out of the box and provide a secure service for their users.
RingCentral Video is a communications service built on top of WebRTC, offering its users low friction while using open standards that are secure by design.
Originally published May 14, 2020, updated Oct 19, 2020