[liberationtech] WebRTC security

Francisco Ruiz ruiz at iit.edu
Mon Oct 6 13:11:02 PDT 2014 

I am in the process if adding WebRTC capabilities to my PassLok privacy
app. In its current incarnation, PassLok's public key functions are used to
generate an encrypted "chat invite" that only the intended recipients would
be able to decrypt. Once decrypted, the invite contains the URL of a simple
WebRTC webpage (based on Muaz Khan's demos on Github), including a 256-bit
token generated by a cryptographically secure RNG. Users then start or join
a WebRTC session, with signaling facilitated by Firebase and XirSys, with
no further involvement of PassLok other than providing an iframe for the
WebRTC to run.

But I have some doubts about the security of this scheme:

1. In order to find each other, participants contact Firebase.io so their
external IP numbers can be relayed back to them. There is also a connection
via XirSys with pretty much the same goal. I don't understand WebRTC (or
Muaz Khan's implementation of it) to understand precisely what is sent back
and forth, but it seems that the connection with these servers is only
needed in order to get around firewalls, and after the connection is
established they are out of the loop. Still, it bothers me that any kind of
servers must be involved to initiate each connection, since they might leak
some information about the clients that might enable malicious listeners to
obtain credentials that would enable them to establish unwanted connections.

2. Once a connection starts, it seems that the browser (Firefox, Chrome,
Opera) deals with it very much as if a TLS connection had been established
with a server, except that it is between clients. I wonder if this kind of
connection can be trusted to be secure enough, though.

3. A third worry is about the scheme I'm using to ensure that the chatroom
is indeed private, which is to add a random token to the chat URL itself.
That URL is never displayed in my program, but I am wondering if it needs
to be relayed to the signaling server in order to establish a WebRTC
connection, in which case it might be compromised.

Any help will be appreciated.

Thanks!

-- 
Francisco Ruiz
Associate Professor
MMAE department
Illinois Institute of Technology

PL20ezLok=1y2z7_6qg8r_wqv3n_7886/_tj4i1_11i3w_x92wj_2p6e1_co32z_uxz0t_qLrqh_fgz++_2km/d_k6bg/_2t3q9_75xjj_w581g_bfpzx_bjxde_jnd0j=PL20ezLok
https://www.youtube.com/watch?v=YnPCfP7uPpw <https://www.youtube.com>

get the PassLok privacy app at: https://passlok.com <http://passlok.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141006/1a1673fe/attachment.html>

More information about the liberationtech mailing list