The SDP descriptions are used as part of the full ICE workflow for NAT traversal. The recipient in turn responds with its own SDP description. This includes a self-generated SDP description to exchange with their peer. When a caller wants to initiate a connection with a remote party, the browser starts by instantiating a RTCPeerConnection object.
A RTCPeerConnection interface represents the actual WebRTC connection, and is relied upon to handle the efficient streaming of data between two peers. RTCPeerConnection is the first of two APIs which are offered specifically as part of the WebRTC specification. Although utilised by WebRTC, this API is actually offered as part of HTML 5. GetUserMedia is one such API, enabling a browser to access a user's camera and microphone. However, the era of HTML 5 has ushered in direct hardware access to numerous devices, and provides JavaScript APIs which interface with a system's underlying hardware capabilities. getUserMediaįor many years it was necessary to rely on third-party browser plugins such as Flash or Silverlight to capture audio or video from a computer. The implementation and technical details of each protocol and technology are outside the scope of this report, however the relevant documentation is readily available online. These APIs will be named and explained briefly. WebRTC relies on three APIs, each of which performs a specific function in order to enable real-time communication within a web application. This allows for a deeper degree of flexibility in adapting a WebRTC app for a specific use case or scenario. This process is used to initiate and advertise calls, and facilitates connection establishment between unfamiliar parties.Īs depicted in Figure 1, this process occurs through an intermediary server:Ī signaling protocol is not specified within WebRTC, allowing developers to implement their own choice of protocol. The actual communication between peers is prefaced by an exchange of metadata, termed "signalling".
WebRTC resides within the user's browser, and requires no additional software to operate. WebRTC enables direct media-rich communication between two peers, using a peer-to-peer (P2P) topology. For the purposes of this paper however, native applications will be treated as being out of scope. This report will address these topics and examine the protections that WebRTC provides to provide security in all cases. However, this naturally raises concerns over the security of such technology, and whether it can be trusted to provide reliable communication for both the end users and any intermediary carriers or third parties. The prospect of enabling embedded audio and visual communication in a browser without plugins is exciting. SIP), WebRTC communications are directly controlled by some Web server, via a JavaScript API. Some of the main use cases of this technology include the following: Using a suitable browser can enable a user to call another party simply by browsing to the relevant webpage. WebRTC is an open-source web-based application technology, which allows users to send real-time media without the need for installing plugins. This paper will discuss in detail the security of WebRTC, with the aim of demonstrating the comparative security of the technology. However, the open-source nature of the technology may have the potential to cause security-related concerns to potential adopters of the technology. Web Real-Time Communication (abbreviated as WebRTC) is a recent trend in web application technology, which promises the ability to enable real-time communication in the browser without the need for plug-ins or other requirements.