How open-source WebRTC creates security issues

By Michael O'Dwyer, Contributor

WebRTC is an open-source application programming interface (API) with a primary objective of allowing real-time voice, text and video communication within web browsers.

This relatively new technology offers a number of advantages in the transfer of data, but universal adoption will take time.

Some experts say that the open-source product is incompatible with a wide number of platforms. Others have concerns about a lack of technical support, given its open-source nature. Any website can add WebRTC features using open-source development tools that can be customized to meet company requirements. Still, many organizations continue balancing the technology’s pluses and minuses.

WebRTC’s increased usage coincides with wider demand for a better browser experience. WebRTC allows Real-Time Communication (RTC) between browsers. It currently supports Chrome, Firefox and Opera. The technology supports Internet Explorer but needs a software install. Plans to extend full features to other browsers are in progress.

In-browser solutions mean that users do not need to install VoIP clients such as Skype and can transfer files without using FTP, e-mail or cloud storage services such as Dropbox. This eliminates situations where the transfer of large files is difficult to complete.

Companies see WebRTC’s potential for sales in the use of real-time chat with prospects. They also believe the technology offers greater efficiency in addressing customer queries faster and without the use of contact forms.

Easier to use

Sonia Cuff, a director of Computer Troubleshooters Aspley, an Australia-based provider of technology advice and support to SMBs, says that wider-scale usage is likely because no additional software or plug-ins are required.

“Google Chrome and Firefox have significant user bases,” Cuff said. “Imagine if Internet Explorer came on board, too, due to the pressure of missing out on this functionality. Businesses are often quick to adopt ‘free and easy’ solutions, without exploring all of the consequences [for IT support and network security].”

Isaac Dawson, a senior security researcher for Veracode, a Burlington, Mass.-based application security vendor serving commercial enterprises and government agencies, sees promise for WebRTC “since this will be the first time for real peer-to-peer communications for browsers.” He also says that collaborative tools and messaging products will definitely take advantage of it.

Gary Kumfert, Ph.D., owner of Quiphon, LLC, a Pleasanton, Calif.-based software studio for mobile applications, believes that WebRTC will be able to help a wide array of companies. “For most people, the browser is the primary — if not the only — window to the Internet,” says Kumfert. “Plug-ins are a great way to get advanced features into a browser, but as a rule of thumb two-thirds of an audience either will not or cannot install a plug-in. So having this technology built into a browser reaches an enormous untapped audience. Also, it gives developers excellent tools to create innovative and engaging experiences.”

But Kumfert says that WebRTC needs more cross-platform compatibility before larger numbers of companies will consider using it. “Support for Safari and [Internet Explorer] and mobile platforms are a minimum,” Kumfert says.

He also says that its own customer service is lacking. “Customer support is questionable,” Kummert says. But he adds: “Companies need to control their image and may have to be careful about turning support reps’ cubes into broadcast studios. Chat may be good enough for that function.”

Even Cuff is unlikely to recommend WebRTC usage to her clients. “Many software alternatives are specifically designed for businesses to enhance their engagement with customers or within internal teams,” Cuff says. “They can be controlled, recorded and supported in a timely manner, which are essential for business communications. While there’s no denying that online collaboration is a powerful tool, businesses have a duty to ensure data protection and privacy, for their own safety and their customers.”

Security issues

WebRTC has raised a number of security concerns.

Kumfert says that the same corporate policies regarding cloud and file sharing, applications and browser plug-ins should be applied to WebRTC. “Then security will need to adapt enforcement techniques,” he says. “It depends a lot on the existing [security] posture of the organization.”

Dawson says that WebRTC is still heavily under development with most browsers only supporting the media aspects such as streaming your local camera or getting streams from remote servers. “However, recently there has been concern of privacy leaks (internal network addressing) because WebRTC also allows peer-to-peer communications,” he says.

Cuff says that the use of WebRTC makes it difficult to protect an individual’s privacy because the technology “allows clients to send files directly from their local computer to any remote connection instantly [via the browser alone].”

This may compromise private and corporate computers. “As well as outbound security concerns, it also opens the corporate PCs up to security risks from inbound files from unverified, non-trusted sources,” says Cuff.

WebRTC includes new protocols such as Interactive Connectivity Establishment (ICE), Session Traversal Utilities for NAT (STUN) — both of which establish connections across multiple network types — and Traversal Using Relays around NAT (TURN) — which bypasses server restrictions for peer-to-peer sharing.

In the event of e-discovery, additional server logging tools may be necessary, as the existing ones will not record streams that use new protocols, states Dawson. “As for large-scale adoption, as with any new web technology, it will most likely take time for it to gain popularity,” says Dawson.