Scribd
Upload
59 views

Webrtc Security Checklist 2020: General

The document provides a checklist for securing a WebRTC product, with recommendations in three areas: general, backend, and desktop/mobile. It advises assuming security is the developer's responsibility alone. On the backend, it suggests using ephemeral passwords for TURN servers, carefully controlling open ports, and monitoring for suspicious activity. For desktop applications, it recommends implementing signaling only over secure protocols and treating client code as untrusted.

Uploaded by

Manish Agarwal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
59 views

Webrtc Security Checklist 2020: General

The document provides a checklist for securing a WebRTC product, with recommendations in three areas: general, backend, and desktop/mobile. It advises assuming security is the developer's responsibility alone. On the backend, it suggests using ephemeral passwords for TURN servers, carefully controlling open ports, and monitoring for suspicious activity. For desktop applications, it recommends implementing signaling only over secure protocols and treating client code as untrusted.

Uploaded by

Manish Agarwal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

WebRTC Security Checklist 2020

While I am no security expert, I did pick out a thing or two talking to many vendors and
customers. Here’s a checklist that I use in the projects I am involved with when it comes to
taking care of the basics of securing a WebRTC product.

Besides what is listed here, you need to make sure to take care of the general security
measurements and best practices as well.

You can read more about WebRTC security here:​ ​https://bloggeek.me/is-webrtc-safe/

General
□ High Assume security is your problem to solve across your application
and no one else

□ High Make sure your terms of service carefully explain the security
properties of your voice/video service, and especially your ability
to access media

□ Low If security is high on your priority list, follow discuss-webrtc and


Chrome’s security-notify list for any new issues that crop up

□ Low Use fuzzing for your media servers, application servers and
non-browser client-side applications (see ​here​)

Backend
□ High Use ephemeral passwords for your TURN server

□ High Open ports on servers only to necessary communications. Focus


on media servers first. Make sure you leave the relevant UDP
ports open for SRTP communications

□ High Monitor use of the service. Check for discrepancies and


suspicious activity

□ Medium Disallow direct connections for control and signaling messages


from devices to media servers

Desktop

1
□ High Implement signaling protocols only over HTTPS or WSS

□ High Treat your client code as suspicious. Put as much of your signaling
and policy decisions to your backend - browser extensions and
hackers in general can reverse engineer your JS code with ease

□ Medium If you use Electron or similar technologies, make sure to protect


yourself from known Electron vulnerabilities

Mobile
□ High Implement signaling protocols only over HTTPS, WSS or TLS

□ Low Use the latest version (or at least a recent version) of webrtc.org
code base for your SDK

You might also like