📝WebRTC security

WebRTC media streaming is protected by SRTP. Unencrypted RTP is explicitly forbidden by WebRTC.

SRTP key management mechanism/exchange is not established by WebRTC. Two options are:

  • SDES (SDP Security Descriptions for Media Streams)
    • this was first the preferred by WebRTC, but later they changed that
    • for SDES to be secure, signaling must be secured
    • I believe the signaling server knows the key
  • DTLS-SRTP
    • DTLS is used to establish the master key and encryption parameters which are then used in SRTP
    • DTLS-SRTP is mandatory to support and should be the default.

Compared to RTP over DTLS, SRTP is more lightweight. However, SRTP exposes headers. In particular, SRTP exposes audio-level.

WebRTC Data Channel is protected by DTLS.