Let’s Talk WebRTC Security

WebRTC is the most secure VoIP solution out there.

I’ll say it again, just so you know I am serious: WebRTC is the most secure VoIP solution out there.

If you’re pissed off already – head to the comments section and type your thoughts – write about TLS, and SIP, and H.323, and FIPS or JITC.

Padlocks

I had an interesting meeting this week with a company that is doing security. A new startup from serial entrepreneurs. They are moving from intrusion detection, where the concept is one of preventing attacks when they happen, to one of finding attacks that are in the making. The main concept? We should admit to ourselves that cyber-attacks will happen – and succeed, and we need to manage that fact instead of trying to ignore the fact that attacks succeed.

While they are taking the route of Big Data and real time analytics, a key aspect of what is required in products is the understanding that loopholes (and bugs) exist in any product, and the speed at which these holes can be plugged is as important (if not more) as fortifying the product in the first place.

The machine you are using – when was the last time it got a security update? For how long have you postponed installing that update?

Look around you in your enterprise. See that desktop phone? When was the last time it got a security update? Oh… you don’t know? Do you think it was yesterday? A month ago? Last year? Never? Knowing your organization, which timeframe would you bet on?

All those servers you use – do you know when they were updated? How about your telephony system? The PBX you have lying around, or the hosted cloud company you use as your PBX – what’s their security patching policy?

Now let’s look at three companies that really grok security.

Microsoft

Yap. Microsoft.

If you think of malware you probably think Windows. Probably because it is still the most used operating system for the longest amount of time out there – it gets huge amounts of users, a large size of sensitive data stored in it, and enough time for hackers to understand the concepts of it and come up with malware for it.

And yet, according to Kaspersky’s IT Threat Evolution report, Microsoft hasn’t made it into the top 10 vulnerabilities list. This is likely due to their security update policies in recent Windows versions and the focus they place on security.

Operating systems vendors are probably better at security than the rest of the vendors out there – including all VoIP vendors. On top of that, they have a system in place to update and patch security holes in an ongoing fashion.

Google and Mozilla

I see you people now whining about Android being the most attacked mobile OS out there. While this is true, consider two security breaches that happened recently:

A security hole was found in Chrome. A security hole was patched in Chrome. It took… less than 24 hours.

Same thing happened with Firefox with the same resolution speed.

Browsers have shifted into automatic updates. People who use Chrome run the latest version – almost never an older one. As a user, you are not being asked to install a new version – it just happens to you. Similar to how SaaS services can be updated on a daily basis, so can modern browsers.

Can you say that about your VoIP phone?

Security by Default

To top it all, WebRTC doesn’t use RTP – only SRTP. The main premise being that a call is private at all times – no more having security and encryption as an optional feature.

Have you seen a VoIP phone that doesn’t support RTP? Or one that doesn’t require a ton of configuration and testing to make its security work? You probably end up using it with no encryption at all.

WebRTC is the most secure VoIP solution out there. Yes – you need to take care of signaling and the security, identity, authentication and authorization on that level – but haven’t we got these issues covered already in other web services that we use?

WebRTC uses the right concepts to make it the most modern and secured VoIP infrastructure. Don’t settle for less.

Tags: , , , , , , , , , , ,

Liked this post?

Share it!

Never miss a post!

Or just grab the RSS feed!

Comments

  1. WebRTC is moving to DTLS-STRP which provides authentication. The way it all ties in with ICE / STUN is very interesting and has created a lot of debates which have generated improvements at the various standard bodies.

    Some push back from traditional vendors is always expected… but
    1) It’s an opportunity to sell new boxes, isn’t? :)
    2) The thing that drives the WebRTC effort is not traditional vendors, it is the web.

    /Serge

    • Tsahi Levent-Levi says:

      Serge,

      You are of course correct.

      My main fascination here isn’t at the specifics of what security spec is part of WebRTC, but rather the fact that it is drastically different than other VoIP solutions in 2 ways:
      1. Security is mandated – no RTP to speak of
      2. The deployment model and reliance on browsers make for eaiser fixing of security flaws

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">