New web technologies are changing the way we interact with the web and with applications. They enable a whole new family of applications for desktop systems but also for mobile devices. The specification of HTML5 and related JavaScript APIs paved the way for rich applications backed by web technologies offering a comparable user experience to native interfaces. Web-based real-time communication (WebRTC) is the next step towards the elimination of current browser limitations. It enables a direct browser-to-browser or device-to-device communication. In this paper, we are targeting the security and privacy implications imposed by this emerging technology. We developed several attacks on WebRTC, compromising user's security and privacy, as well as the privacy of other devices in the same network. Our evaluation shows that even though WebRTC is based on a solid security basis, user's privacy and communication security can be compromised due to several design decisions. For each attack, mitigation strategies are defined where the operation and functionality of WebRTC are still maintained and user's privacy is protected.
[1]
Henning Schulzrinne,et al.
An Offer/Answer Model with Session Description Protocol (SDP)
,
2002,
RFC.
[2]
Jonathan D. Rosenberg,et al.
Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols
,
2010,
RFC.
[3]
Dan Wing,et al.
Session Traversal Utilities for NAT (STUN)
,
2020,
RFC.
[4]
Alexey Melnikov,et al.
The WebSocket Protocol
,
2011,
RFC.
[5]
Michele Orru,et al.
The Browser Hacker's Handbook
,
2014
.
[6]
Aaas News,et al.
Book Reviews
,
1893,
Buffalo Medical and Surgical Journal.
[7]
Thomas C. Schmidt,et al.
Content-centric user networks: WebRTC as a path to name-based publishing
,
2013,
2013 21st IEEE International Conference on Network Protocols (ICNP).
[8]
B. Stiller,et al.
Internet Economics VIII
,
2014
.