End to End encryption setup for openvidu
Hi,
WebRTC protocol encrypts its commnications with DTLS/SRTP by default. In fact, the use of unencrypted RTP is explicitly forbidden by the WebRTC specification. (https://webrtc-security.github.io/)
So, this means that communications will be encrypted between the endpoints of the WebRTC connection. But this doesn’t mean that the communication will be completely protected between browser-to-browser if you are using a SFU/MCU media server that performs real processing of the media streams (such us OpenVidu or others). That is because in this case the media server is actually the other peer. So, it will decrypt and process information as if it was the other participant of the communication. Then it may proceed to re-encrypt the media (after doing with it what you programmed for that media pipeline, such us recording) and send back to the other browser. This second communication will also be protected to man-in-the-middle attacks. But, to sum up, browser-to-browser communication will be decrypted in the media server if you route your media connections through it. Actual P2P sessions (where OpenVidu is just a signaling server) would be the only option here, but OpenVidu doesn’t supporte them yet (it is in our roadmap). I personally heard that WebRTC standard specifiers are working to provide some kind of “two level encyption” to provide real end-to-end encryption for these cases, but I’m not sure it’ll be available any soon.
Regards.
3 Likes
The Insertable Streams are this “two level encrytion” for SFU/MCU architecture, right?