Making Web A Global Communication Space with Web Real-Time Communication

Abstract

The web has been a rapidly changing space in terms of its infrastructure and the information users create upon it. WebRTC is a new set of technologies which enriches the web infrastructures leading to new ways to create and share information. In this paper, various domains promising a better web ecosystem for the users and developers both have been explored. The challenges concerned to Identity Authentication and Identity Resolution have been reviewed. Understanding the present technologies, the paper also mentions some future unmined applications of WebRTC in our daily life. Finally, some theoretical prospects of technical improvement and their deployment have been recommended.

Introduction

Web Real-Time Communications (WebRTC) brings an extremely powerful technology close to users while opening up the path for innovative adoptions within the communications landscape. WebRTC is the first browser-based technology that breaks with the Web’s client-server architecture by enabling direct browser-to-browser communication. It is an ongoing joint effort from the W3C and IETF to develop standards that will enable real time communication (RTC) between Web browsers. Although Web browsers can communicate through voice and video using browser-dependent plugins and extensions, WebRTC is the first industrial effort to develop an open platform for RTC over the Web based on standard APIs and protocols.

Web Real Time Communication Logo

Web Real Time Communication Logo; source: www.webrtc.org

More than 30 companies and organizations— including Google, Microsoft, Cisco, Mozilla, Huawei, and Ericsson — are investing in WebRTC; their hope is to change both the telecommunications industry and the Web ecosystem. It could change telecommunications by lowering the barrier for Internet companies, browser vendors, and device makers to provide RTC services over the Web. With proper standards, websites and Web browsers collectively can become a new open platform for delivering RTC and collaboration services to users. With this platform and the flexibility of HTML5, developers can rapidly create real-time Web applications that run on any operating system and any device. For users, WebRTC’s benefit isn’t just free phone calls — it’s the ability to interact in a global communication space in an unconstrained way.



Architecture

WebRTC offers web application developers the ability to write rich, real-time multimedia applications (think video chat) on the web, without requiring plugins, downloads or installs. It’s purpose is to help build a strong RTC platform that works across multiple web browsers, across multiple platforms.

The overall architecture looks something like this:

Courtesy: http://www.webrtc.org/architecture

Courtesy: http://www.webrtc.org/architecture

Exploring WebRTC Identity

WebRTC security architecture

WebRTC security architecture

First we consider the usual way identity is managed for communication services. In the telephony world, identity is generally managed in a shared way between providers. An identity is tied to a publicly known address such as a phone number that enforces international standardized rules common for all communication providers (CPs).

These addresses play two roles: in the signaling role, they route the session initiation message to the callee; in the identity role, they let the callee identify the caller and vice versa.

Conceptual Relationship of user identities in WebRTC

Conceptual Relationship of user identities in WebRTC: ownership of the identity (of), provider of the identity (by), and target of the identity (to).

 

 

Things are quite different on the Web. WebRTC lacks a built-in identity system, so it uses those developed for the Web in general. For this reason, the identity layer’s problems are new and unique.

The WebRTC security architecture consists of three distinct component layers:

  1. The identity layer consists of identity providers (IdPs) and their JavaScript proxies, which can authenticate a user to a browser.
  2. The media layer consists of Web browsers that exchange secure real-time media using the Secure Real-Time Protocol (SRTP).
  3. The signaling layer consists of pages and websites that control the calls between browsers.

Creating a global RTC system over the Web entails some acute technical challenges:

  • Identity authentication. How can we authenticate users on the Web? That is, how do we verify their identities to ensure that only the intended parties receive confidential or private information?
  • Identity resolution. How can we locate users on the Web? That is, how do we use identity to find the pages users are visiting so we can deliver calls to them when they’re moving between different websites?




WebRTC Connection

To make a WebRTC connection, a user typically visits a service provider’s website, or calling site. By calling the appropriate JavaScript APIs in the user’s browser, the calling page can set up the WebRTC connection with a remote party.

Structure of Real Time Session

WebRTC uses two distinct paths for communication: the signaling path goes from the call initiator to the call receiver via the existing HTTP(S) connections to the calling sites; the media path is set up in a peer-to-peer fashion between the call initiator and the receiver using network protocols such as Session Traversal Utilities for NAT (Network Address Translation) and Datagram Transport Layer Security-Secure Real-Time Transport Protocol (DTLS-SRTP) for RTC.

For identity and authentication, both communicating parties employ an identity provider (IdP).

WebRTC Deployment

The considerable flexibility in deployment is simultaneously one of the most exciting and most challenging aspects of WebRTC technology. We can apply WebRTC in multiple deployment settings, ranging from a simple scenario with one user contacting the helpdesk from a single calling site to more complex scenarios with multiple calling sites, multiple identity providers, and media gateway services working together to set up video conferencing facilities.

From a security viewpoint, the combination of peer-to-peer RTC as well as the availability of a rich set of JavaScript APIs makes this an interesting target for a broad set of attacks.



Addressing User Identity in WebRTC

User identities in WebRTC services can be involved in two different activities:

  1. The authentication process by which the service— here, the Communication Provider — authorizes the user to log in; and
  2. The verification of the peer users’ identity within a call (or any data transfer).

Identity delivery must be the CP’s responsibility because it’s in charge of the signaling path between Alice and Bob. WebRTC provides browsers with a JavaScript interface for session negotiation based on Session Description Protocol (SDP), so the most reasonable solution has been to include user identities as any other session negotiation parameter in SDP objects.

Addressing Threats in Peer-to-Peer Web

The model of WebRTC threats that we’ve discussed needs a few necessary security mechanisms:

  • Signaling traffic protection (between each browser and the server) using HTTPS;
  • Media traffic protection (between browsers) using DTLS-SRTP;
  • End-to-end authentication of the communicating peers using Cryptographic Identity by verifying the given key pair and its holder; and
  • Protection of media streams from the JavaScript code that handles them using Local Access Controls.




Conclusion

These mechanisms are being implemented in browsers right now. As they become available, we will see whether an ecosystem of end-to-end secure WebRTC applications develops.

If the web takes the form a Global Communication Space, certainly it will revolutionize the internet industry as well as telecommunication industry!

References

  1. L. Li, W. Chou, Z. Qiu, and T. Cai, “Who Is Calling Which Page on the Web?”, Internet Computing, IEEE, Nov/Dec, pp. 26-33, 2014
  2. L. Desmet and M. Johns, “Real-Time Communications Security on the Web”, Internet Computing, IEEE, Nov/Dec, pp. 8-10, 2014
  3. R. L. Barnes and M. Thomson, ”Browser-to-Browser Security Assurances for WebRTC”, Internet Computing, IEEE, Nov/Dec, pp. 11-17, 2014
  4. V. Beltran, E. Bertin and N. Crespi, “User Identity for WebRTC- A matter of trust”, Internet Computing, IEEE, Nov/Dec, pp. 18-25, 2014

More about the author- Pankaj Kumar