STUN/TURN server security with webRTC
1,713 views
Skip to first unread message
Mark Mandel
Aug 22, 2013, 8:18:41 PM8/22/13
to discuss...@googlegroups.com
This may be a dumb question, but I'll ask it anyway.
I'm slowly wrapping my head around using webRTC for voice/audio chat, but one thing struck me.
If I'm creating a RTCPeerConnection, the urls and ports of my STUN and TURN servers are public, as they are hardcoded in my Javascript (or they could come down a websocket/XHR request, but they could still be intercepted).
e.g.
pc = new RTCPeerConnection({iceServers:[{url:"stun:stun.l.google.com:19302"}]});
So my dumb question is - is there a way to lock these down? i.e. ensure that not just anyone with a webRTC app to test doesn't send their STUN and TURN requests directly to you?
I had a quick look through the config options for https://code.google.com/p/rfc5766-turn-server/source/browse/trunk/examples/etc/turnserver.conf and nothing jumped out at me.
How are people securing down their STUN and TURN servers? I'm wondering if there is a clever way to send credentials somehow encrypted over a websocket/XHR request?
Thanks!
Mark
Oleg Moskalenko
Aug 22, 2013, 8:49:36 PM8/22/13
to discuss...@googlegroups.com
First, there are ephemeral credentials described in REST API docs. That diminishes the potential security damage.
Second, the STUN is not secured at all, usually. The cost of replying to unwanted user is smaller than the cost of checking the credentials.
Third, the breach of the TURN resource has low security impact (unless TURN is used as a gateway of a sort, but this is not usually the case in WebRTC). The only risk is the resources consumption. There is no secure information involved. I suppose that the WebRTC original architects did not consider it as much of a threat.
Fourth, I guess, you can secure your webrtc site by some kind of access password, and use SSL/TLS.
Oleg
Second, the STUN is not secured at all, usually. The cost of replying to unwanted user is smaller than the cost of checking the credentials.
Third, the breach of the TURN resource has low security impact (unless TURN is used as a gateway of a sort, but this is not usually the case in WebRTC). The only risk is the resources consumption. There is no secure information involved. I suppose that the WebRTC original architects did not consider it as much of a threat.
Fourth, I guess, you can secure your webrtc site by some kind of access password, and use SSL/TLS.
Oleg
Mark Mandel
Aug 22, 2013, 9:00:02 PM8/22/13
to discuss...@googlegroups.com
Okay - so essentially it's always going to be essentially public. The only worry you have it potential DOS attack by people consuming your resources (and upping your bandwidth bill).
Failing that - rotate the DNS entries and ports seems like the only other option.
That sound about right?
Mark
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
E: mark....@gmail.com
T: http://www.twitter.com/neurotic
W: www.compoundtheory.com
2 Devs from Down Under Podcast
Oleg Moskalenko
Aug 22, 2013, 9:22:09 PM8/22/13
to discuss...@googlegroups.com
That does not sound perfect. But this is the way how it is now, essentially.
Mark Mandel
Aug 22, 2013, 9:32:17 PM8/22/13
to discuss...@googlegroups.com
Okay - fair enough. At least now I know ;)
Thanks for the help.
Mark
Reply all
Reply to author
Forward
0 new messages