1. 12
  1. 2

    Am I the only one who sees WebRTC as a pile of security problems without benefit? Just yesterday we had https://lobste.rs/s/dpu0vt/nat_slipstreaming_v2_0_new_attack_variant which leans on multiple issues, but WebRTC is always a part of compromising networks these days.

    If there’s a task that requires NAT traversal, keeping it in its own process means it’s inaccessible to be used as a drive-by from any page I happen to visit. A router can’t distinguish malicious drive-by use from legitimate use.

    1. 3

      without benefit

      WebRTC provides a huge benefit in that it allows plugin-less video calls from browsers. Especially during the ongoing pandemic, video calls have gained a lot of importance to the point where I feel nobody of us here can go even a week without participating in some kind of video call.

      I’d much rather do my video calls through a browser which provides excellent isolation from the system it’s running on and which has some of the best security teams of the world working on keeping it secure, none of which is true for any of the alternative native video call applications.

      There’s no alternative for in-browser video calls than WebRTC, so at least for right now, given the current situation we’re all in, I think WebRTC provides a huge security benefit compared to not having it.

      1. 2

        Maybe some benefit?

        1. P2P connections via browser.
        2. Load balancing via multi cloud instances that just need to turn on rather than be included in DNS or behind a proxy.

        I haven’t seen it used yet but I think it sounds pretty practical.

        1. 1

          I guess the benefit is that it exists and works?

          Unless there’s some alternative that also works? The old Jitsi has been nearly memory holed and never worked well anyway.

          1. 1

            The alternative that I’m suggesting is to not use a browser for this. Right now I’m in a call in Teams, which is really just Electron so it’s built on a browser stack – but it’s not the same browser instance that’s being used to visit arbitrary web sites. I’d like to make this distinction very strict to prevent drive-by sites from using WebRTC network capabilities.

            1. 3

              The Zoom app has a terrible security track record (e.g. taking months to fix an issue that allowed an attacker on the Internet to turn on the camera and microphone and grab whatever they captured) so there’s absolutely no way that I’ll ever install their app on any computer that I use. WebRTC means that, when I have to join a Zoom call, I can do so via the web browser, whose security I trust somewhat more.