coturn cert and pkey for WebRTC required?

823 views Asked by At

We use coturn with Matrix Synapse and Riot clients. Do we need to use cert and pkey in the coturn configuration or is encryption already done completely by WebRTC?

1

There are 1 answers

0
Brian On

From this conversation on the coturn Github page, forcing DTLS is not needed as long as your signalling layer is secure. The media is already encrypted, the keys for the encryption being shared at the signalling layer:

No, even with an unencrypted connection with the TURN server, the WebRTC data cannot be compromised. Key exchange in WebRTC is done on a different layer (often called the signaling layer), and it is the signaling layer that needs to be encrypted and secure to prevent snooping or MITM attacks. The TURN server is just a relay, it has no knowledge or insight into the data being send back and forth between WebRTC peers; all it sees are data packets that come from client A which need to be sent to client B. There is the possibility of IP/session data leakage if someone is able to sniff TURN traffic, but honestly, if an actor is able to do so, they will be able to see the source and destination IPs of all traffic anyway, so encrypting the TURN traffic doesn't give you anything. In my experience, an encrypted connection to the TURN server was required because of proxy/firewall rules on a particular client network, not because of the risk of MITM at the TURN server. If your configuration works without (D)TLS to the TURN server, then there's no reason to enforce it. TL;DR make your signaling layer is encrypted and secure, don't bother with (D)TLS on the TURN server unless you really need to.

There is also a reference to the WebRTC spec (https://www.w3.org/TR/webrtc/#privacy-and-security-considerations).