How to Communicate Securely over the Internet

Today, I published a new Internet-Draft on how to securely communicate over the Internet using a new web technology known as WebRTC and the ZRTP protocol.  Using this technique, Internet users can determine if the National Security Agency, or anyone else, is listening in to their calls placed using a web browser.  There are already a number of commercial and open source products utilizing ZRTP, including Silent CircleJitsi, and others, but this new technique opens it up for all web users.

The WebRTC Book

For those of you not involved in the VoIP or video conferencing world, WebRTC, or Web Real-Time Communications, is a new standards effort to add real-time voice and video communications capabilities to web browsers.  This allows web developers to add voice and video communications with a few standard JavaScript calls.  All the pieces needed to communicate, including codecs and the ability to traverse NAT and firewalls, are built into the browser.  Today, WebRTC is available in the Chrome and Firefox browsers, and in Chrome for Android.  I’ve written a book on WebRTC if you want to learn more about it.

With WebRTC, all media flows are encrypted and authenticated using Secure RTP or SRTP.  Unfortunately, the keying method chosen for WebRTC is DTLS-SRTP or Datagram Transport Layer Security for Secure Real-time Transport Protocol.  DTLS-SRTP on its own does not provide protection against Man-in-the-Middle (MitM) attacks, also known as eavesdropping attacks.    Today, the news is full of reasons why Internet users need such protection.  We now know the surveillance of Internet users is widespread.

The ZRTP security protocol, published as RFC 6189 back in 2011,  was invented by Phil Zimmermann to allow Internet users to communicate securely and privately over the Internet.   ZRTP was not selected as the default keying method for WebRTC, despite it being the ideal candidate.

However, ZRTP can still be used to provide MitM protection for WebRTC sessions established using DTLS-SRTP.  As described in the new Internet-Draft written by myself, Phil Zimmermann, Jon Callas, Travis Cross, and John Yoakum, ZRTP can be implemented in JavaScript and run in both browsers over the WebRTC data channel.  The ZRTP exchange is used to compare the DTLS-SRTP fingerprints used to establish the media flows.  If the fingerprints match, and the ZRTP exchange is authenticated by the users comparing the Short Authentication Strings (SAS) displayed on each browser, the WebRTC media sessions are free of MitM attackers.

Jitsi Short Authentication String

How does this work?  You’ll have to read the ZRTP specification to find out exactly how, but in simple technical terms,  it is because ZRTP uses a technique known as a Diffie-Hellman key exchange augmented with a hash commitment.  This allows the SAS, which can be two words or four hex digits, to prove that a media session has no eavesdroppers present.

We have documented this usage of ZRTP with WebRTC in the Internet-Draft document draft-johnston-webrtc-zrtp.  Hopefully soon there will be some open source ZRTP JavaScript libraries freely available for web developers.

Everyone needs privacy in their communication, and WebRTC with ZRTP finaly provides a real solution to all Internet users.


, , , , , ,

  1. #1 by hanumesh13 on September 20, 2013 - 5:37 am

    this is Cool …………… waiting eagerly !!!1

  1. The WebRTC Book, Second Edition | Alan Quayle Business and Service Development

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: