Login/Register
Is WebRTC traffic over TURN end-to-end encrypted?
Asked Answered
Solved securitywebrtcdtls
A

1

42

WebRTC traffic is encrypted using DTLS - ok. But what about traffic that's relayed over a TURN server?

I'm looking for a reliable resource which confirms that the traffic is truly end-to-end encrypted (because "end-to-end" can sometimes mean several things). So I mean

  • NOT that there's an "end-to-end" encryption between a peer and the TURN server.

But rather,

  • that it is end-to-end between the peers
  • such that it is not decrypted/re-encrypted on the TURN server
  • AND that there is no way for the TURN server to get access to the secret

I haven't been able to find a definite answer to this.

Antoneantonella answered 15/4, 2014 at 13:35 Comment(1)
Great question here ! thanksOpenair
M
40

The place to look is the TURN proposed standard, RFC 5766. The standard provides a means for relaying UDP packets containing application data between a client and a peer:

Once an allocation is created, the client can send application data to the server along with an indication of to which peer the data is to be sent, and the server will relay this data to the appropriate peer. The client sends the application data to the server inside a TURN message; at the server, the data is extracted from the TURN message and sent to the peer in a UDP datagram. In the reverse direction, a peer can send application data in a UDP datagram to the relayed transport address for the allocation; the server will then encapsulate this data inside a TURN message and send it to the client along with an indication of which peer sent the data.

The highest layer that TURN parses is the UDP layer. It does not understand or modify the application data layer (in your case, the WebRTC protocol). The standard says:

An application wishing to ensure that its data is not altered or forged must integrity-protect its data at the application level.

This implies that you can integrity-protect your application data, and TURN will relay it without modification. You can also look at the details of the TURN protocol (which I won't repeat here) that show that it merely wraps and forwards application data.

Finally, the standard says this on eavesdropping:

Confidentiality for the application data relayed by TURN is best provided by the application protocol itself, since running TURN over TLS does not protect application data between the server and the peer. If confidentiality of application data is important, then the application should encrypt or otherwise protect its data. For example, for real-time media, confidentiality can be provided by using SRTP.

The recommendation in this excerpt is to protect confidentiality by encrypting application data with a protocol such as DTLS-SRTP, which WebRTC uses.

Because TURN does not interpret or modify application data, it doesn't add any security vulnerabilities to WebRTC application data traffic that wouldn't be present without using TURN. WebRTC data is encrypted between WebRTC endpoints.

Now, no one can guarantee that there is "no way for the TURN server to get access to the secret." A rogue TURN server could attempt a man-in-the-middle attack on your connection just as easily as anyone else who can intercept your network packets. It's only true that using a TURN relay doesn't weaken WebRTC security.

As long as DTLS is implemented and used properly and assuming the DTLS algorithms and ciphers are secure, WebRTC traffic should be secured end-to-end. Part of using any SSL-based scheme requires verifying the certificate of the other endpoint, just like HTTPS. And just like HTTPS, this will require a prior out-of-band exchange of certificate identity or use of a trusted third-party. And just like HTTPS, if certificates are not properly verified then the door will be open for a MITM attack (by anyone, not just TURN servers).

Metonym answered 25/4, 2014 at 18:45 Comment(9)
This answer definitely goes into the right direction. It's clear, that the encryption must be done at the application layer, for end-to-end encryption to work. But 1. I'm not 100% sure, if "The highest layer that TURN parses is the UDP layer.": There are dtls and tls options in code.google.com/p/rfc5766-turn-server/wiki/turnserver . And 2. I'm not 100% sure, if WebRTC performs the key exchange for DTLS with the TURN server, or with the other client. I haven't found anything about that in the WebRTC spec.Antoneantonella
@ChrisLercher, The TURN protocol itself can be protected by TLS or DTLS for the connection between the client and the server (TLS is allowed in the RFC 5766; DTLS is an obvious enhancement). This encryption encapsulates the traffic between the client and server and is on top of any encryption in the application layer. In the open source code, the description of the --no-tls and --no-dtls options (defined in mainrelay.c, used in netengine.c) actually says that this applies to client listeners, indicating the sockets for the TURN protocol layer.Metonym
@ChrisLercher, WebRTC doesn't specify DTLS handshaking because that's part of DTLS. DTLS is just a UDP-ized version of TLS, so it can guarantee end-to-end encryption. But just like HTTPS, it only works if you verify the certificate of your peer - otherwise, as you fear, someone can use a MITM attack. And, just like HTTPS, WebRTC implementations must check certificates to be secure. This is covered in section 8.3.5 of the W3C draft: Waiting for all DTLS connections to be establishes and checking that the certificate fingerprints on all connections matches the one provided by the IdP.Metonym
@ChrisLercher, Note that there is some concern that implementations won't perform the certificate checks, which require either a prior out-of-band exchange of certificates or a trusted third-party identity server (again, just like HTTPS). I believe there are additional proposed changes to WebRTC to address this.Metonym
Thanks @rhashimoto. See also groups.google.com/d/msg/turn-server-project-rfc5766-turn-server/…Antoneantonella
Can someone answer the question with the knowledge of 2019 and the current implementations in the major browsers!?Related
@Related in the perspective of the turn server this answer is still valid, nothing new... other than tls1.3 but the basis are the sameOpenair
The answer above was great, and anyone interested in additional information might look at the article located here: webrtc-security.github.io it's a longer read, but probably worth the time investment if you're asking yourself this question. It helped me a lot, in addition to this answer. So thanks. SO should create a tip jar.Regelate
But what if I'm writing both: the client AND the stun server? I can send whatever info from client using other layers like WebSockets, so HOW do I actually decrypt/decode those UDP packages? In my particular use-case I'm writing UDP server for a game, and I wanna mimic some of the STUN server features, so in the end of the day I'm able to use WebRTC browser API and connect my browser client to a game server using UDP transferring layer. I.e. it's not browser-to-browser interaction via UDP (which WebRTC is intended for), but instead browser-to-server interaction via UDP. And I need to decode itSupercharger

© 2022 - 2024 — McMap. All rights reserved.