Skip to first unread message
Rob Retter
Dec 23, 2015, 1:16:02 PM12/23/15
to TURN Server (Open-Source project)
Hello,
In the README.turnserver file, there are statements:
This is puzzling to me because WebRTC does not, to my knowledge, require any authorization mechanism. It does support such, of course, and generally it's a good idea to use some sort of authorization/authentication. But WebRTC itself actually requiring one? Not so much.
I'm definitely not a WebRTC expert, only having recently begun work in this realm. But I have written a few apps that use WebRTC and done my development work without authentication, encryption, etc, etc (because security is not the point in day-to-day app programming and often poses a pain in the ass, though of course it is relevant within a final product).
So my question: Are the statements quoted above about WebRTC requiring particular authentication mechanisms --- or any mechanism at all --- literally correct? And if so, could someone point me at the WebRTC doc(s) that declare this?
Thank you very much for your time.
In the README.turnserver file, there are statements:
-a, --lt-cred-mech Use long-term credentials mechanism (this one you need for WebRTC usage).
--use-auth-secret TURN REST API flag.
Flag that sets a special WebRTC authorization option
that is based upon authentication secret.
WebRTC uses long-term authentication mechanism, so you have to use -a
option (or --lt-cred-mech). WebRTC relaying will not work with anonymous
access.
This is puzzling to me because WebRTC does not, to my knowledge, require any authorization mechanism. It does support such, of course, and generally it's a good idea to use some sort of authorization/authentication. But WebRTC itself actually requiring one? Not so much.
I'm definitely not a WebRTC expert, only having recently begun work in this realm. But I have written a few apps that use WebRTC and done my development work without authentication, encryption, etc, etc (because security is not the point in day-to-day app programming and often poses a pain in the ass, though of course it is relevant within a final product).
So my question: Are the statements quoted above about WebRTC requiring particular authentication mechanisms --- or any mechanism at all --- literally correct? And if so, could someone point me at the WebRTC doc(s) that declare this?
Thank you very much for your time.
Rob Retter
Dec 23, 2015, 1:42:33 PM12/23/15
to TURN Server (Open-Source project)
Sigh... I made (at least) one classical mistake in my posting above:
Over the years, I've come to hate the words authentication and authorization. Not just because they usually introduce a horrible storm of inconvenience and aggravation, but because they're linguistically so clumsy and similar. Ripe for interchanging mistakenly. Ripe, I tell you. It's not really my fault at all.
Another sigh.
... WebRTC does not, to my knowledge, require any authentication mechanism.
Over the years, I've come to hate the words authentication and authorization. Not just because they usually introduce a horrible storm of inconvenience and aggravation, but because they're linguistically so clumsy and similar. Ripe for interchanging mistakenly. Ripe, I tell you. It's not really my fault at all.
Another sigh.
Oleg Moskalenko
Dec 23, 2015, 2:01:24 PM12/23/15
to Rob Retter, TURN Server (Open-Source project)
See below:
Sent from my iPhone
Sent from my iPhone
Hello,
In the README.turnserver file, there are statements:-a, --lt-cred-mech Use long-term credentials mechanism (this one you need for WebRTC usage).
--use-auth-secret TURN REST API flag.
Flag that sets a special WebRTC authorization option
that is based upon authentication secret.WebRTC uses long-term authentication mechanism, so you have to use -a
option (or --lt-cred-mech). WebRTC relaying will not work with anonymous
access.
This is puzzling to me because WebRTC does not, to my knowledge, require any authorization mechanism.
It does require
It does support such, of course, and generally it's a good idea to use some sort of authorization/authentication. But WebRTC itself actually requiring one? Not so much.
I'm definitely not a WebRTC expert, only having recently begun work in this realm. But I have written a few apps that use WebRTC and done my development work without authentication, encryption, etc, etc (because security is not the point in day-to-day app programming and often poses a pain in the ass, though of course it is relevant within a final product).
So my question: Are the statements quoted above about WebRTC requiring particular authentication mechanisms --- or any mechanism at all --- literally correct? And if so, could someone point me at the WebRTC doc(s) that declare this?
Thank you very much for your time.
--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at https://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.
Philipp Hancke
Dec 23, 2015, 2:02:39 PM12/23/15
to Oleg Moskalenko, Rob Retter, TURN Server (Open-Source project)
Saying 'WebRTC uses the _STUN_ long-term authentication mechanism' would probably make this slightly clearer.
Oleg Moskalenko
Dec 23, 2015, 3:09:05 PM12/23/15
to Philipp Hancke, Rob Retter, TURN Server (Open-Source project)
That was already explained in the docs
Sent from my iPhone
Sent from my iPhone
Reply all
Reply to author
Forward
0 new messages