Web-based apps are useless if they’re not secure. This is a crucial matter when it comes to browser-based communication solutions, especially one that enables participants to share, complete, and sign very sensitive documents online.

Security is a top priority for WebRTC and eFace2Face developers. Both groups are committed to ensuring peace of mind for consumers and businesses. This blog provides an overview of key WebRTC security features.

According to the Internet Engineering Task Force (IETF), WebRTC security requirements stem directly from the fundamental requirement that user protection is the browser’s job. A key to making WebRTC secure is to make each browser the only trusted base for which security decisions can be made and to assume that any website could have malicious JavaScript embedded therein. But in a properly functioning system, the browser must rely on other trusted sources. Therefore, the identities of all participants in a WebRTC-based meeting need verification.

Identity verification is at the heart of the decision to grant a web-based application control of a user’s webcam and microphone. A website offering WebRTC-based communication can become the trusted identity provider; WebRTC can also use third-party identity providers (e.g. BrowserID, Federated Google Login, Facebook Connect, LinkedIn) to verify a user’s identity.

When attempting to connect, WebRTC asks the user if the website can use their web camera and microphone. This message appears in a “door hanger”, as shown below.

WebRTC door hanger as it appears in Google Chrome[/caption]

Image WebRTC Door

WebRTC door hanger as it appears in Firefox[/caption]

Chrome only asks the user once then remembers the answer for subsequent visits. Firefox, on the other hand, grants one-time permission, meaning the user needs to approve camera and microphone access regardless of how many times they have visited the site in order to make a call.

Image WebRTC Call

The pulsing red dot in the tab indicates that the user is in a WebRTC call[/caption]

WebRTC has built-in encryption, so it’s impossible to send unencrypted media when using a WebRTC-based application. The aforementioned WebRTC identity work reinforces this preventative measure.

The technology uses the Secure Real-time Transport Protocol (SRTP) to carry media. Its codecs ensure cross-platform interoperability and eliminate codec downloads, which may contain malware.

While strong measures are in place, WebRTC security is still a work in progress. The next blog will look at the additional security features of eFace2Face that ensure the protection of the businesses and consumers that use it.

Meet company CEO Dave Patten face-to-face for a more detailed look at the security features of eFace2Face and WebRTC and see how you can grow your online revenue streams quickly and safely.