SlideShare une entreprise Scribd logo

WebRTC Security

Alex Hunte
Alex Hunte

Importance of security for WebRTC

Technologie
1  sur  66
Télécharger pour lire hors ligne
SECURITY AND IDENTITY MANAGEMENT ON WEBRTC
Agenda 1. Introduction into WebRTC security - VoIP attacks - WebRTC vulnerabilities - Protection - Identity Management 2.WebRTC, IMS, Security and Identities Víctor Pascual @victorpascual Antón Román @antonroman
Introduction into WebRTC security
WebRTC. Features Open system, no proprietary implementations ¡No plugins! Multi-platform...
WebRTC. Features. Multidevice: ○ Desktop and laptops ○ Tablets and notebooks ○ Smartphones ○ Set-Top-Boxes and WebTVs
WebRTC. Use cases. More information about use cases available here: Corporate: ○ Audio webclients for IMS, NGN, MS Lync, Cisco, etc. ○ Video webclients for conference bridges ○ Click to call (click to video/chat) solutions ○ Contact center solutions Residential: ○ OTT services ○ Audio webclients for residential users ○ Webchats ○ Vertical applications (e-health,...) ○ Extended RCS/Joyn services ○ Online videogames
WebRTC. Architecture. New elements introduced in the UC networks requires new considerations in terms of security: ○ Web Server ○ WebRTC gateway ○ Laptop/desktop used as endpoint
Efforts in WebRTC security. RFC Draft: Security considerations for RTC-Web WebRTC inherits part of the potential VoIP attacks and adds new threads: ○ New network elements to be hijacked, etc. ○ Open communications (new open ports, etc.) ○ Privacy issues through access to microphones and cams.
VoIP attacks
VoIP attacks. Introduction. Types of VoIP attacks: 1. Denial of service 2. Fraud 3. Illegal interception 4. Illegal control A VoIP attack causes an immediate economic damage for the attacked entity and a direct economic profit to the attacker. This does not occur with other type of attacks. VoIP security
VoIP attacks. Denial of service. The aim of an attack of DoS is to degrade the quality of the service that perceives the user by means of the massive delivery of messages that require of the use of resources (CPU, BW or memory) in the attacked system. Examples: flood of register requests or calls in a softswitch that can pretend: ■ A simple failure of the service. ■ Attack for telephone fraud. Also other "non intentional" attacks should be taking into account: ■ flood after a power blackout. ■ Bugs in terminals. ■ Viruses.
VoIP attacks. Fraud. An attacker registers in the system with a valid user (discovers the password, alters an IP, etc.) with the aim to do calls to international numbers. CFCA estimates 40 Billions USD annually. They are not only calls through the network. Sometimes the attacker obtains remote access to a SIP proxy or softswitch that can use to originate illegal calls by console. ● These attacks cause not only economic losses. Sometimes the legitimate user has to pay the bill!! ● In most cases, it's difficult to determine the responsibility (customer or operator) of the attacks.
VoIP attacks. Illegal interception. Because of the IP nature is simpler to capture signalling and media traffic by potential attackers to obtain information (audio of the call, other information of the call exchanged, etc.) As traditional VoIP SIP traffic is opened, this is more dangerous in Wi-Fi networks where traffic is not ciphered. WebRTC uses ciphered traffic for signalling and media, so interception could only be done in the endpoints or media gateway.
VoIP attacks. Illegal control. If an attacker achieves the credenciales of an user or an administrator, he has absolute control: ● Can be used to do calls with high costs: causing losses to the service provider and/or end customer. ● Hijacked lines can be used to finish calls of other customers to which the attacker sells services ● For illegal activities, makes more difficult the judicial follow-up of the calls.
WebRTC vulnerabilities
Access to devices. Threats HTML and JS script are executed by the browser as a "sandbox" designed to be isolated from the rest of the computer. However bugs may exist. WebRTC API needs to access physical devices which will provide real-time media information (and files): THREAT: Web pages access to user's camera and microphone without permissions.
Access to devices. Threats Malicious WebSever Users can potentially being recorded with Javascript code downloaded from a malicious Web Server. Malicious Script SRTP
Access to screen capture. Threats Malicious WebSever SRTP Malicious Script Security in screen sharing is specially critical as very sensitive information can be stolen.
Websocket. Websocket (RFC6445): provides a full-duplex socket between a browser and a server. It is just a TCP socket upgraded from an HTTP handshake. Standardized way for the server to send content to the browser without being solicited by the client. Image from http://blog.kaazing.com Image from: http://stackoverflow.com
Websocket DoS. Threats Browser N Attacked Server websocket Malicious WebSever Websocket allows cross-origin connection. DDoS attacks can be implemented in a Web-oriented way. Browser 1 websocket httphttp Malicious Script Malicious Script
Websocket cross-protocol attack. Threats ebsocket A malicious script could potentially inject code which is valid in HTTP poisoning HTTP intermediaries (i.e. HTTP proxy). This is avoided natively by WS RFC. http://tools.ietf.org/agenda/80/slides/hybi-2.pdf
Signaling sent over not TLS connection. By default it implements digest authentication, however it has a number of disadvantages: ● Several security options (like 'qop' for integrity) are optional. ● Vulnerable to man-in-the-middle attacks. Sending the messages in plain-text is not a good idea, it can be authenticated but not privacy and integrity. Signaling traffic can be sent over Websocket: data is sent over a TCP socket without any encryption. Equivalent to SIP over UDP/TCP. Sending all the signaling over TLS is a must!
Security of TURN server. TURN is necessary in many WebRTC scenarios to establish bi-directional flows. Media relaying is an expensive resource so it is protected with credentials. Those credentials can be long-term, if these credentials are stolen the TURN server can be abused.
Security in Click-to-call solutions ● Click to call solutions are potentially easy to be attacked. ● The WebRTC Click2Call solution server must implement mechanism to make sure the user is calling from a trusted site and limit the amount of calls from one location. ● Controlling the total amount of calls also will help to minimize DDoS. Web Visitor Contact Center
Protection
Signaling over TLS. SIP traffic can be sent over Secure Websocket: data is sent over a TLS socket. Equivalent to SIP over TLS. TLS provides privacy, integrity and authentication. It also provides server authentication, and client authentication if a client certificate is provided. If the client certificate is signed by a Trusted Certification Authority (CA) the real-time communication can have legal value. Using, HTTPS and WSS is necessary when working with WebRTC. For example: Screen sharing only works from HTTPS sites!
Access to devices. WebRTC standard requires that access to device to be notified to the user. Browser notifies the user that a tab is currently accessing media devices. With a blinking red spot In Chrome.
Access to devices. Showing own video to the user helps to be aware that the browser is accessing cam and micro. The browser stores the permissions settings for HTTPS sites which valid certificates.
Access to devices. Screen capture requires to type of permissions: 2. Always active user content 1. Elevated permissions (in practice means installing a plugin once)
Websocket poisoning. websocket http://tools.ietf.org/agenda/80/slides/hybi-2.pdf Browser Server<Websocket opening handshake string> *u0!GDDD&GIO[[[ONx< [&BM#>;:$MMGGDDDF4xOFDA@E6XU7$&UU<'U<! 4U6UY&0OY X$%CIOCBM#HNXDWBK69E SIP/2.0 200 OK Via: SIP/2.0/WS NO72tU858jVE.invalid; branch=z9hG4bKFhlN824OuTkQrgQl7FD8t1ejvP08 0E;rport=48095;received=46.25.57.69 Browser-To-Server Server-To-Browser
DDoS. DoS and DDoS protections are pretty similar to the implemented in Web Servers. Attacks can be potentially be launched from thousands of browsers. Signaling is going to be received via TCP/TLS: WS, WSS, REST APIs, etc Typical attack vectors (SYN flood, RESET attack etc) must be stopped as soon as possible to limit resources exhaustion which causes a denial of service. WebRTC Gateways/servers normally will be exposed in Internet listening on well-known ports (443 and 80).
DTLS-SRTP for media encryption DTLS-SRTP manage the SRTP key exchange within the RTP flow before starting media. This is done using DTLS, a version of TLS based on datagrams. Keys are not exchanged in the SDP protocol. It protects the RTP flow even if signaling is not encrypted. It is mandatory for A fingerprint is included in the SDP to create a security relationship between the SDP and the DTLS-SRTP flows.
ICE. ICE(RFC5245) allows RTP flows to traverse NAT routers. It finds the best path for RTP/RTCP traffic. STUN is used to find out the paths to send the RTP flow. ICE, includes a handshake designed to verify that the receiving element wishes to receive traffic from the sender. This identifier/password are created by the browser and used during the ICE negotiation.
Monitoring. It is important monitor all the traffic the same way it is done with SIP traffic. It is possible to gather even more information for WebRTC sessions: ● IP geolocation. ● Host URL. ● Browser info. ● Contextual info.
ID management
Identity management. WebRTC does not force any authentication method. WebRTC API exposes an authentication API based on Identity Providers which can be: ● Ad-hoc solutions ● Social networks ● Certification Authorities (private or public) ● Telco authentication IdP protocols: OpenID or BrowserID, Federated Google Login, Facebook Connect, OAuth, WebFinger
Identity management. OpenID Makes possible to be sure of the identity using a third party New opportunity for operators as Identity Providers: Mobile number as Trusted Identity
Identity management. +----------------+ | | | Signaling | | Server | | | +----------------+ ^ ^ / HTTPS / HTTPS / / v v JS API JS API +-----------+ +-----------+ | | Media | | Alice | Browser |<---------->| Browser | Bob | | (DTLS+SRTP)| | +-----------+ +-----------+ ^ ^--+ +--^ ^ | | | | v | | v +-----------+ | | +-----------+ | |<--------+ | | | IdP1 | | | IdP2 | | | +------->| | +-----------+ +-----------+ WebRTC API defined by W3C Alice and Bob have relationships with some Identity Provider (IdP) that supports a protocol such as OpenID or BrowserID, Federated Google Login, Facebook Connect, OAuth, WebFinger) that can be used to demonstrate their identity to other parties.
Identity management. +--------------------------------------+ | Browser | | | | +----------------------------------+ | | | https://calling-site.example.com | | | | | | | | Calling JS Code | | | | ^ | | | +---------------|------------------+ | | | API Calls | | v | | PeerConnection | | ^ | | | MessageChannel | | +-----------|-------------+ | +---------------+ | | v | | | | | | IdP Proxy |<-------->| Identity | | | | | | Provider | | | https://idp.example.org | | | | | +-------------------------+ | +---------------+ | | +--------------------------------------+ v=0 o=- 1181923068 1181923196 IN IP4 ua1.example.com s=example1 c=IN IP4 ua1.example.com a=setup:actpass a=fingerprint: SHA-1 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB a=identity: ImlkcCI6eyJkb21haW4iOiAiZXhhbXBsZS5vcmciLCAicHJvdG9jb2wiOiAiYm9n dXMifSwiYXNzZXJ0aW9uIjpcIntcImlkZW50aXR5XCI6XCJib2JAZXhhbXBsZS5v cmdcIixcImNvbnRlbnRzXCI6XCJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3l6XCIs XCJzaWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9Cg== t=0 0 m=audio 6056 RTP/SAVP 0 a=sendrecv WebRTC API defined by W3C
Identity management. Adds a second factor of authentications because we validate the device (smartphone or PC) and the credentials are introduced ciphered in a SIP signalling packet. Certification Authority Certificate verification Example of Identity Management
WebRTC, IMS, Security and Identities
WebRTC access to IMS
WebRTC access to IMS
Reference Model WebRTC IMS Client (WIC) P-CSCF enhanced for WebRTC (eP-CSCF) IMS-AGW enhanced for WebRTC (eIMS-AGW) WebRTC Web Server Function (WWSF) WebRTC Authorization Function (WAF)
Registration and authentication SIP/IMS vs Web Authentication
WebRTC is signaling agnostic, SIPoWS is just one option
SIP can be used with Web Authentication
IMS can be used with Web Authentication
Authentication of WebRTC IMS Client with IMS subscription using web credentials
Control plane security
Media plane security
Media security for RTP
Media Security for WebRTC DataChannels
NAT traversal In order to traverse restrictive-firewalls one could also use TCP/TLS transport. Some, are even multiplexing that over HTTP-based connections
Firewall and HTTP proxy traversal
Additional Considerations
Specs perspective
How is it really deployed in the real world? other existing systems Experience from 100+ field trials/POCs
Customer Use Case: Service Provider in CALA
Customer Use Case: Service Provider in EMEA
Customer Use Case: Service Provider in APAC
Summary
What we have learned today ● Legacy VoIP attacks could also be important in WebRTC. ● WebRTC provides security by default (mandatory encryption, access permissions, etc). ● Care should be paid to Authentication and Identity Management
Planning to be in Barcelona during MWC15? Quobis' booth (#CS60, Spanish Pavilion) will showcase "Sippo WebRTC Application Controller" to service providers and network equipment vendors, showing them how to introduce new value- added WebRTC services to their residential and corporate customers, hiding the complexity behind the different implementation of the standards by web browsers and gateway vendors and providing a complete set of APIs to manage AAA, user provisioning, contact management, policy control and other features. mwc@quobis.com
Planning to be in Barcelona during MWC15? Register today for this free event at http: //www.meetup.com/WebRTC-Barcelona

Recommandé

Async js
Async jsAsync js
Async jsAlexandr Skachkov
 
Spring MVC Framework
Spring MVC FrameworkSpring MVC Framework
Spring MVC FrameworkHùng Nguyễn Huy
 
ラムダと invokedynamic の蜜月
ラムダと invokedynamic の蜜月ラムダと invokedynamic の蜜月
ラムダと invokedynamic の蜜月Taku Miyakawa
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Developmentguestc8093a6
 
BDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service TestsBDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service Testskloia
 
API Test Automation Tips and Tricks
API Test Automation Tips and TricksAPI Test Automation Tips and Tricks
API Test Automation Tips and Trickstesthive
 
Build web apps with react js
Build web apps with react jsBuild web apps with react js
Build web apps with react jsdhanushkacnd
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing AdvancedNSConclave
 

Recommandé

Async js
Async jsAsync js
Async jsAlexandr Skachkov
 
Spring MVC Framework
Spring MVC FrameworkSpring MVC Framework
Spring MVC FrameworkHùng Nguyễn Huy
 
ラムダと invokedynamic の蜜月
ラムダと invokedynamic の蜜月ラムダと invokedynamic の蜜月
ラムダと invokedynamic の蜜月Taku Miyakawa
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Developmentguestc8093a6
 
BDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service TestsBDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service Testskloia
 
API Test Automation Tips and Tricks
API Test Automation Tips and TricksAPI Test Automation Tips and Tricks
API Test Automation Tips and Trickstesthive
 
Build web apps with react js
Build web apps with react jsBuild web apps with react js
Build web apps with react jsdhanushkacnd
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing AdvancedNSConclave
 
MVC Architecture in ASP.Net By Nyros Developer
MVC Architecture in ASP.Net By Nyros DeveloperMVC Architecture in ASP.Net By Nyros Developer
MVC Architecture in ASP.Net By Nyros DeveloperNyros Technologies
 
Building a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring BootBuilding a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring BootOmri Spector
 
REST API 설계
REST API 설계REST API 설계
REST API 설계Terry Cho
 
Linq to sql
Linq to sqlLinq to sql
Linq to sqlShivanand Arur
 
React & Redux JS
React & Redux JS React & Redux JS
React & Redux JS Hamed Farag
 
Top 40 MVC Interview Questions and Answers | Edureka
Top 40 MVC Interview Questions and Answers | EdurekaTop 40 MVC Interview Questions and Answers | Edureka
Top 40 MVC Interview Questions and Answers | EdurekaEdureka!
 
Hexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootHexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootMikalai Alimenkou
 
Introduction to jQuery
Introduction to jQueryIntroduction to jQuery
Introduction to jQueryZeeshan Khan
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentationVibhor Grover
 
MVC Framework
MVC FrameworkMVC Framework
MVC FrameworkAshton Feller
 
決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話Ryosuke Uchitate
 
React workshop
React workshopReact workshop
React workshopImran Sayed
 
Test-Driven Development (TDD)
Test-Driven Development (TDD)Test-Driven Development (TDD)
Test-Driven Development (TDD)Brian Rasmussen
 
Cucumber BDD
Cucumber BDDCucumber BDD
Cucumber BDDPravin Dsilva
 
React Js Simplified
React Js SimplifiedReact Js Simplified
React Js SimplifiedSunil Yadav
 
GraphQL Introduction with Spring Boot
GraphQL Introduction with Spring BootGraphQL Introduction with Spring Boot
GraphQL Introduction with Spring Bootvipin kumar
 
asp-net.pptx
asp-net.pptxasp-net.pptx
asp-net.pptxFajar Baskoro
 
Design Patterns (Examples in .NET)
Design Patterns (Examples in .NET)Design Patterns (Examples in .NET)
Design Patterns (Examples in .NET)Aniruddha Chakrabarti
 
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~JavaScriptの仕組みと未来のJavaScript ~ESNextとは~
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~Yuki Hirano
 
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...Edureka!
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?VOIP2DAY
 

Contenu connexe

Tendances

MVC Architecture in ASP.Net By Nyros Developer
MVC Architecture in ASP.Net By Nyros DeveloperMVC Architecture in ASP.Net By Nyros Developer
MVC Architecture in ASP.Net By Nyros DeveloperNyros Technologies
 
Building a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring BootBuilding a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring BootOmri Spector
 
REST API 설계
REST API 설계REST API 설계
REST API 설계Terry Cho
 
React & Redux JS
React & Redux JS React & Redux JS
React & Redux JS Hamed Farag
 
Top 40 MVC Interview Questions and Answers | Edureka
Top 40 MVC Interview Questions and Answers | EdurekaTop 40 MVC Interview Questions and Answers | Edureka
Top 40 MVC Interview Questions and Answers | EdurekaEdureka!
 
Hexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootHexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootMikalai Alimenkou
 
Introduction to jQuery
Introduction to jQueryIntroduction to jQuery
Introduction to jQueryZeeshan Khan
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentationVibhor Grover
 
決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話Ryosuke Uchitate
 
Test-Driven Development (TDD)
Test-Driven Development (TDD)Test-Driven Development (TDD)
Test-Driven Development (TDD)Brian Rasmussen
 
React Js Simplified
React Js SimplifiedReact Js Simplified
React Js SimplifiedSunil Yadav
 
GraphQL Introduction with Spring Boot
GraphQL Introduction with Spring BootGraphQL Introduction with Spring Boot
GraphQL Introduction with Spring Bootvipin kumar
 
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~JavaScriptの仕組みと未来のJavaScript ~ESNextとは~
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~Yuki Hirano
 
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...Edureka!
 

Tendances (20)

MVC Architecture in ASP.Net By Nyros Developer
MVC Architecture in ASP.Net By Nyros DeveloperMVC Architecture in ASP.Net By Nyros Developer
MVC Architecture in ASP.Net By Nyros Developer
 
Building a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring BootBuilding a REST Service in minutes with Spring Boot
Building a REST Service in minutes with Spring Boot
 
REST API 설계
REST API 설계REST API 설계
REST API 설계
 
Linq to sql
Linq to sqlLinq to sql
Linq to sql
 
React & Redux JS
React & Redux JS React & Redux JS
React & Redux JS
 
Top 40 MVC Interview Questions and Answers | Edureka
Top 40 MVC Interview Questions and Answers | EdurekaTop 40 MVC Interview Questions and Answers | Edureka
Top 40 MVC Interview Questions and Answers | Edureka
 
Hexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootHexagonal architecture with Spring Boot
Hexagonal architecture with Spring Boot
 
Introduction to jQuery
Introduction to jQueryIntroduction to jQuery
Introduction to jQuery
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentation
 
MVC Framework
MVC FrameworkMVC Framework
MVC Framework
 
決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話決済サービスのSpring Bootのバージョンを2系に上げた話
決済サービスのSpring Bootのバージョンを2系に上げた話
 
React workshop
React workshopReact workshop
React workshop
 
Test-Driven Development (TDD)
Test-Driven Development (TDD)Test-Driven Development (TDD)
Test-Driven Development (TDD)
 
Cucumber BDD
Cucumber BDDCucumber BDD
Cucumber BDD
 
React Js Simplified
React Js SimplifiedReact Js Simplified
React Js Simplified
 
GraphQL Introduction with Spring Boot
GraphQL Introduction with Spring BootGraphQL Introduction with Spring Boot
GraphQL Introduction with Spring Boot
 
asp-net.pptx
asp-net.pptxasp-net.pptx
asp-net.pptx
 
Design Patterns (Examples in .NET)
Design Patterns (Examples in .NET)Design Patterns (Examples in .NET)
Design Patterns (Examples in .NET)
 
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~JavaScriptの仕組みと未来のJavaScript ~ESNextとは~
JavaScriptの仕組みと未来のJavaScript ~ESNextとは~
 
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...
Angular vs React vs Vue | Javascript Frameworks Comparison | Which One You Sh...
 

Similaire à WebRTC Security

VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?VOIP2DAY
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessOliver Pfaff
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
 
The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway stefansayer
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications TechnologiesSarah Jimenez
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9Arvind Tiwary
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderUsing a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderRemmy Nweke, mNGE, mNUJ, mGOCOP
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsIRJET Journal
 
Computer Seminar.pptx
Computer Seminar.pptxComputer Seminar.pptx
Computer Seminar.pptxMelvinShaji12
 
Data security in online commerce
Data security in online commerceData security in online commerce
Data security in online commerceAnand Nair
 

Similaire à WebRTC Security (20)

VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
 
WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?WebRTC Security Concerns, a real problem?
WebRTC Security Concerns, a real problem?
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
 
Identifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusinessIdentifying How WAP Can Be Used For Secure mBusiness
Identifying How WAP Can Be Used For Secure mBusiness
 
Intro to WebRTC
Intro to WebRTCIntro to WebRTC
Intro to WebRTC
 
RAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARYRAZORPOINT SECURITY GLOSSARY
RAZORPOINT SECURITY GLOSSARY
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway The FRAFOS ABC SBC WebRTC gateway
The FRAFOS ABC SBC WebRTC gateway
 
Voip security
Voip securityVoip security
Voip security
 
Iot Security
Iot SecurityIot Security
Iot Security
 
Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Ecommerce final ppt
Ecommerce final pptEcommerce final ppt
Ecommerce final ppt
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defenderUsing a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
Using a VPN or and TOR by remmy nweke, fellow, cyber security policy defender
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 
Computer Seminar.pptx
Computer Seminar.pptxComputer Seminar.pptx
Computer Seminar.pptx
 
Net Defender
Net DefenderNet Defender
Net Defender
 
Data security in online commerce
Data security in online commerceData security in online commerce
Data security in online commerce
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

WebRTC Security

  • 2. Agenda 1. Introduction into WebRTC security - VoIP attacks - WebRTC vulnerabilities - Protection - Identity Management 2.WebRTC, IMS, Security and Identities Víctor Pascual @victorpascual Antón Román @antonroman
  • 4. WebRTC. Features Open system, no proprietary implementations ¡No plugins! Multi-platform...
  • 5. WebRTC. Features. Multidevice: ○ Desktop and laptops ○ Tablets and notebooks ○ Smartphones ○ Set-Top-Boxes and WebTVs
  • 6. WebRTC. Use cases. More information about use cases available here: Corporate: ○ Audio webclients for IMS, NGN, MS Lync, Cisco, etc. ○ Video webclients for conference bridges ○ Click to call (click to video/chat) solutions ○ Contact center solutions Residential: ○ OTT services ○ Audio webclients for residential users ○ Webchats ○ Vertical applications (e-health,...) ○ Extended RCS/Joyn services ○ Online videogames
  • 7. WebRTC. Architecture. New elements introduced in the UC networks requires new considerations in terms of security: ○ Web Server ○ WebRTC gateway ○ Laptop/desktop used as endpoint
  • 8. Efforts in WebRTC security. RFC Draft: Security considerations for RTC-Web WebRTC inherits part of the potential VoIP attacks and adds new threads: ○ New network elements to be hijacked, etc. ○ Open communications (new open ports, etc.) ○ Privacy issues through access to microphones and cams.
  • 10. VoIP attacks. Introduction. Types of VoIP attacks: 1. Denial of service 2. Fraud 3. Illegal interception 4. Illegal control A VoIP attack causes an immediate economic damage for the attacked entity and a direct economic profit to the attacker. This does not occur with other type of attacks. VoIP security
  • 11. VoIP attacks. Denial of service. The aim of an attack of DoS is to degrade the quality of the service that perceives the user by means of the massive delivery of messages that require of the use of resources (CPU, BW or memory) in the attacked system. Examples: flood of register requests or calls in a softswitch that can pretend: ■ A simple failure of the service. ■ Attack for telephone fraud. Also other "non intentional" attacks should be taking into account: ■ flood after a power blackout. ■ Bugs in terminals. ■ Viruses.
  • 12. VoIP attacks. Fraud. An attacker registers in the system with a valid user (discovers the password, alters an IP, etc.) with the aim to do calls to international numbers. CFCA estimates 40 Billions USD annually. They are not only calls through the network. Sometimes the attacker obtains remote access to a SIP proxy or softswitch that can use to originate illegal calls by console. ● These attacks cause not only economic losses. Sometimes the legitimate user has to pay the bill!! ● In most cases, it's difficult to determine the responsibility (customer or operator) of the attacks.
  • 13. VoIP attacks. Illegal interception. Because of the IP nature is simpler to capture signalling and media traffic by potential attackers to obtain information (audio of the call, other information of the call exchanged, etc.) As traditional VoIP SIP traffic is opened, this is more dangerous in Wi-Fi networks where traffic is not ciphered. WebRTC uses ciphered traffic for signalling and media, so interception could only be done in the endpoints or media gateway.
  • 14. VoIP attacks. Illegal control. If an attacker achieves the credenciales of an user or an administrator, he has absolute control: ● Can be used to do calls with high costs: causing losses to the service provider and/or end customer. ● Hijacked lines can be used to finish calls of other customers to which the attacker sells services ● For illegal activities, makes more difficult the judicial follow-up of the calls.
  • 16. Access to devices. Threats HTML and JS script are executed by the browser as a "sandbox" designed to be isolated from the rest of the computer. However bugs may exist. WebRTC API needs to access physical devices which will provide real-time media information (and files): THREAT: Web pages access to user's camera and microphone without permissions.
  • 17. Access to devices. Threats Malicious WebSever Users can potentially being recorded with Javascript code downloaded from a malicious Web Server. Malicious Script SRTP
  • 18. Access to screen capture. Threats Malicious WebSever SRTP Malicious Script Security in screen sharing is specially critical as very sensitive information can be stolen.
  • 19. Websocket. Websocket (RFC6445): provides a full-duplex socket between a browser and a server. It is just a TCP socket upgraded from an HTTP handshake. Standardized way for the server to send content to the browser without being solicited by the client. Image from http://blog.kaazing.com Image from: http://stackoverflow.com
  • 20. Websocket DoS. Threats Browser N Attacked Server websocket Malicious WebSever Websocket allows cross-origin connection. DDoS attacks can be implemented in a Web-oriented way. Browser 1 websocket httphttp Malicious Script Malicious Script
  • 21. Websocket cross-protocol attack. Threats ebsocket A malicious script could potentially inject code which is valid in HTTP poisoning HTTP intermediaries (i.e. HTTP proxy). This is avoided natively by WS RFC. http://tools.ietf.org/agenda/80/slides/hybi-2.pdf
  • 22. Signaling sent over not TLS connection. By default it implements digest authentication, however it has a number of disadvantages: ● Several security options (like 'qop' for integrity) are optional. ● Vulnerable to man-in-the-middle attacks. Sending the messages in plain-text is not a good idea, it can be authenticated but not privacy and integrity. Signaling traffic can be sent over Websocket: data is sent over a TCP socket without any encryption. Equivalent to SIP over UDP/TCP. Sending all the signaling over TLS is a must!
  • 23. Security of TURN server. TURN is necessary in many WebRTC scenarios to establish bi-directional flows. Media relaying is an expensive resource so it is protected with credentials. Those credentials can be long-term, if these credentials are stolen the TURN server can be abused.
  • 24. Security in Click-to-call solutions ● Click to call solutions are potentially easy to be attacked. ● The WebRTC Click2Call solution server must implement mechanism to make sure the user is calling from a trusted site and limit the amount of calls from one location. ● Controlling the total amount of calls also will help to minimize DDoS. Web Visitor Contact Center
  • 26. Signaling over TLS. SIP traffic can be sent over Secure Websocket: data is sent over a TLS socket. Equivalent to SIP over TLS. TLS provides privacy, integrity and authentication. It also provides server authentication, and client authentication if a client certificate is provided. If the client certificate is signed by a Trusted Certification Authority (CA) the real-time communication can have legal value. Using, HTTPS and WSS is necessary when working with WebRTC. For example: Screen sharing only works from HTTPS sites!
  • 27. Access to devices. WebRTC standard requires that access to device to be notified to the user. Browser notifies the user that a tab is currently accessing media devices. With a blinking red spot In Chrome.
  • 28. Access to devices. Showing own video to the user helps to be aware that the browser is accessing cam and micro. The browser stores the permissions settings for HTTPS sites which valid certificates.
  • 29. Access to devices. Screen capture requires to type of permissions: 2. Always active user content 1. Elevated permissions (in practice means installing a plugin once)
  • 30. Websocket poisoning. websocket http://tools.ietf.org/agenda/80/slides/hybi-2.pdf Browser Server<Websocket opening handshake string> *u0!GDDD&GIO[[[ONx< [&BM#>;:$MMGGDDDF4xOFDA@E6XU7$&UU<'U<! 4U6UY&0OY X$%CIOCBM#HNXDWBK69E SIP/2.0 200 OK Via: SIP/2.0/WS NO72tU858jVE.invalid; branch=z9hG4bKFhlN824OuTkQrgQl7FD8t1ejvP08 0E;rport=48095;received=46.25.57.69 Browser-To-Server Server-To-Browser
  • 31. DDoS. DoS and DDoS protections are pretty similar to the implemented in Web Servers. Attacks can be potentially be launched from thousands of browsers. Signaling is going to be received via TCP/TLS: WS, WSS, REST APIs, etc Typical attack vectors (SYN flood, RESET attack etc) must be stopped as soon as possible to limit resources exhaustion which causes a denial of service. WebRTC Gateways/servers normally will be exposed in Internet listening on well-known ports (443 and 80).
  • 32. DTLS-SRTP for media encryption DTLS-SRTP manage the SRTP key exchange within the RTP flow before starting media. This is done using DTLS, a version of TLS based on datagrams. Keys are not exchanged in the SDP protocol. It protects the RTP flow even if signaling is not encrypted. It is mandatory for A fingerprint is included in the SDP to create a security relationship between the SDP and the DTLS-SRTP flows.
  • 33. ICE. ICE(RFC5245) allows RTP flows to traverse NAT routers. It finds the best path for RTP/RTCP traffic. STUN is used to find out the paths to send the RTP flow. ICE, includes a handshake designed to verify that the receiving element wishes to receive traffic from the sender. This identifier/password are created by the browser and used during the ICE negotiation.
  • 34. Monitoring. It is important monitor all the traffic the same way it is done with SIP traffic. It is possible to gather even more information for WebRTC sessions: ● IP geolocation. ● Host URL. ● Browser info. ● Contextual info.
  • 36. Identity management. WebRTC does not force any authentication method. WebRTC API exposes an authentication API based on Identity Providers which can be: ● Ad-hoc solutions ● Social networks ● Certification Authorities (private or public) ● Telco authentication IdP protocols: OpenID or BrowserID, Federated Google Login, Facebook Connect, OAuth, WebFinger
  • 37. Identity management. OpenID Makes possible to be sure of the identity using a third party New opportunity for operators as Identity Providers: Mobile number as Trusted Identity
  • 38. Identity management. +----------------+ | | | Signaling | | Server | | | +----------------+ ^ ^ / HTTPS / HTTPS / / v v JS API JS API +-----------+ +-----------+ | | Media | | Alice | Browser |<---------->| Browser | Bob | | (DTLS+SRTP)| | +-----------+ +-----------+ ^ ^--+ +--^ ^ | | | | v | | v +-----------+ | | +-----------+ | |<--------+ | | | IdP1 | | | IdP2 | | | +------->| | +-----------+ +-----------+ WebRTC API defined by W3C Alice and Bob have relationships with some Identity Provider (IdP) that supports a protocol such as OpenID or BrowserID, Federated Google Login, Facebook Connect, OAuth, WebFinger) that can be used to demonstrate their identity to other parties.
  • 39. Identity management. +--------------------------------------+ | Browser | | | | +----------------------------------+ | | | https://calling-site.example.com | | | | | | | | Calling JS Code | | | | ^ | | | +---------------|------------------+ | | | API Calls | | v | | PeerConnection | | ^ | | | MessageChannel | | +-----------|-------------+ | +---------------+ | | v | | | | | | IdP Proxy |<-------->| Identity | | | | | | Provider | | | https://idp.example.org | | | | | +-------------------------+ | +---------------+ | | +--------------------------------------+ v=0 o=- 1181923068 1181923196 IN IP4 ua1.example.com s=example1 c=IN IP4 ua1.example.com a=setup:actpass a=fingerprint: SHA-1 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB a=identity: ImlkcCI6eyJkb21haW4iOiAiZXhhbXBsZS5vcmciLCAicHJvdG9jb2wiOiAiYm9n dXMifSwiYXNzZXJ0aW9uIjpcIntcImlkZW50aXR5XCI6XCJib2JAZXhhbXBsZS5v cmdcIixcImNvbnRlbnRzXCI6XCJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3l6XCIs XCJzaWduYXR1cmVcIjpcIjAxMDIwMzA0MDUwNlwifSJ9Cg== t=0 0 m=audio 6056 RTP/SAVP 0 a=sendrecv WebRTC API defined by W3C
  • 40. Identity management. Adds a second factor of authentications because we validate the device (smartphone or PC) and the credentials are introduced ciphered in a SIP signalling packet. Certification Authority Certificate verification Example of Identity Management
  • 44.
  • 45. Reference Model WebRTC IMS Client (WIC) P-CSCF enhanced for WebRTC (eP-CSCF) IMS-AGW enhanced for WebRTC (eIMS-AGW) WebRTC Web Server Function (WWSF) WebRTC Authorization Function (WAF)
  • 47. WebRTC is signaling agnostic, SIPoWS is just one option
  • 48. SIP can be used with Web Authentication
  • 49. IMS can be used with Web Authentication
  • 50. Authentication of WebRTC IMS Client with IMS subscription using web credentials
  • 54. Media Security for WebRTC DataChannels
  • 55. NAT traversal In order to traverse restrictive-firewalls one could also use TCP/TLS transport. Some, are even multiplexing that over HTTP-based connections
  • 56. Firewall and HTTP proxy traversal
  • 59. How is it really deployed in the real world? other existing systems Experience from 100+ field trials/POCs
  • 60. Customer Use Case: Service Provider in CALA
  • 61. Customer Use Case: Service Provider in EMEA
  • 62. Customer Use Case: Service Provider in APAC
  • 64. What we have learned today ● Legacy VoIP attacks could also be important in WebRTC. ● WebRTC provides security by default (mandatory encryption, access permissions, etc). ● Care should be paid to Authentication and Identity Management
  • 65. Planning to be in Barcelona during MWC15? Quobis' booth (#CS60, Spanish Pavilion) will showcase "Sippo WebRTC Application Controller" to service providers and network equipment vendors, showing them how to introduce new value- added WebRTC services to their residential and corporate customers, hiding the complexity behind the different implementation of the standards by web browsers and gateway vendors and providing a complete set of APIs to manage AAA, user provisioning, contact management, policy control and other features. mwc@quobis.com
  • 66. Planning to be in Barcelona during MWC15? Register today for this free event at http: //www.meetup.com/WebRTC-Barcelona