WebRTC Security - Is Web-Based Peer-to-Peer Ready for Primetime?

Explore the security aspects of WebRTC in this comprehensive conference talk. Gain insights into the emerging web-based peer-to-peer technology, its architecture, and enabling technologies such as STUN, TURN, ICE, and DTLS-SRTP. Examine various deployment scenarios and identify basic security characteristics of WebRTC. Delve into the impact of WebRTC on the current web security model, uncovering potential weaknesses and open security challenges. Learn about the WebRTC permission model, privacy implications, and potential network attacks. Investigate endpoint authenticity, identity provisioning, and fingerprinting concerns. Analyze WebRTC weaknesses, including issues with identity providers and automatic identity assertions. Conclude with a discussion on the security consequences, web permission model, and new browser capabilities introduced by WebRTC. Benefit from resources such as WebRTC Magazine and the Client-side Web Security Handbook to further your understanding of this technology.

Introduction
Agenda
What is WebRTC
Peertopeer browser communication
WebRTC architecture
Communication protocols
Session description protocol
Networking
Identity provisioning
Questions
General Observations
WebRTC Permission Model
Do you want to be involved
Two packs of privacy
What happens if you eavesdrop
Network attacker
DTLS
Maninthemiddle
Clone video
Endpoint authenticity
Identity provider
Fingerprinting
IP addresses
WebRTC weaknesses
Identity providers
Automatic identities assertions
Automatic identities assertion attack
Wrapup
Security consequences
Web permission model
Webpart authentication
New browser capabilities
Resources
WebRTC Magazine
Clientside Web Security Handbook
Any questions