WebRTC, or how secure is p2p browser communication?

Presented at AppSec USA 2015, Sept. 24, 2015, 10:30 a.m. (55 minutes)

In this presentation, we will provide the OWASP audience the necessary insights in this emerging Web technology, and discuss the various security aspects of WebRTC. This content is based on a recent study of the Web Security specifications the author has been conducting together with researcher from W3C, IETF and SAP. Firstly, the overall WebRTC architecture will be presented, and the enabling technologies (such as STUN, TURN, ICE and DTLS-SRTP) will be introduced. This architecture will be illustrated in multiple deployment scenarios. As part of this description, the basic security characteristics of WebRTC will be identified. Secondly, we will discuss how the new WebRTC technology impacts the security model of the current Web. They will highlight some of the weaknesses they have spot during their security assessment, as well as discuss the open security challenges with the WebRTC technology.

Presenters:

• Martin Johns - Research Expert - SAP SE
  Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau. Martin has a track record of 8+ years applied WebAppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, incl. the OWASP AppSec series, Black Hat, Usenix Security, CCS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress. More information can be found at http://martinjohns.com
• Lieven Desmet - Research Manager - imec-DistriNet-KU Leuven
  Lieven Desmet is Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.

Links:

• https://appsecusa2015.sched.com/event/46Cd/webrtc-or-how-secure-is-p2p-browser-communication

Similar Presentations:

• Kiwicon 8: It's always 1989 in Computer Security (2014) / BeEF for Vegetarians (Hooked Browser Meshed-Networks with WebRTC)
• DEF CON 23 (2015) / Hooked Browser Meshed-Networks with WebRTC and BeEF