Request for Addition of WebRTC Security Subcategory in ASVS #1612
Comments
|
Can you suggest requirements that you think are not explicitly covered by existing requirements. For example, I think we already have a requirement that all communications should be via TLS so I don't think we need extra requirements for that. |
tghosth
added
1) Discussion ongoing
|
hi @ImanSharaf any thoughts on this? |
|
The specific check related to the TURN server and XOR-PEER-ADDRESS addresses a unique WebRTC-related concern that isn't necessarily covered by general security guidelines. SDP exchanges are unique to WebRTC and similar real-time communication protocols. Validating and sanitizing these exchanges are essential as they contain vital information about the media and data streams. They could be exploited if not secured properly. Unlike traditional communication channels, WebRTC sessions have unique characteristics, and ensuring their secure termination is essential to avoid unintended data leaks or unauthorized access. |
|
So can you suggest some specific requirements @ImanSharaf ? |
|
Sure, do we want to create a subcategory for WebRTC similar to Websocket? |
|
How many requirements you have in mind? Web Socket category in my opinion contains duplicates which can easily handled with "parent" or more general requirement (but this is separate topic). |
|
Yeah let's see the WebRTC requirements first and then decide if we want a dedicated section or not. |
elarlang
added
the
2) Awaiting response
|
@ImanSharaf do you have suggested requirements for this? |
tghosth
added
Community needed
|
Hi there, as mentioned on X, we should be able to help on this very topic since it is one of our favorites 🙂. Some references of past publications:
Also attaching the mindmap that we created to illustrate the WebRTC infrastructure attack surface as we see it.
We hope to convert some of this into ASVS styled requirements. Is this a good direction? cc: @tghosth @ImanSharaf |
|
@sandrogauci thank you. Please propose your suggested requirements. |
|
Here is a starting point forWebRTC from an expert system.
WebRTC Security Requirements
1. **Authentication and Authorization:**
- Verify that all peers are authenticated before establishing a connection.
- Verify that only authorized users can initiate or join a WebRTC session.
- Verify the use of secure tokens (e.g., JWT) to authorize WebRTC connections, ensuring tokens are short-lived and signed.
2. **Data Encryption:**
- Verify that all WebRTC signaling data is transmitted over HTTPS (TLS).
- Verify that all media streams (audio, video, and data channels) are encrypted using SRTP and DTLS.
3. **Signaling Security:**
- Verify the use of strong authentication and integrity mechanisms for the signaling channel.
- Verify that all signaling messages are validated for correctness and conform to expected formats.
4. **Data Integrity and Confidentiality:**
- Verify the implementation of end-to-end encryption (E2EE) for WebRTC media streams where possible.
- Verify the use of secure key exchange mechanisms (e.g., DTLS-SRTP) for negotiating encryption keys between peers.
5. **Privacy Protection:**
- Verify that explicit user consent is obtained before accessing any media devices (e.g., camera, microphone) and users are notified when media streams are active.
- Verify that the minimal set of permissions necessary for the application’s functionality is requested.
6. **Session Management:**
- Verify that session initialization includes mutual authentication and integrity checks.
- Verify the implementation of session timeout mechanisms to terminate idle WebRTC sessions.
7. **Logging and Monitoring:**
- Verify that significant events such as session initiation, termination, and errors are logged securely.
- Verify the monitoring of WebRTC sessions for anomalous behavior and appropriate action when anomalies are detected.
8. **Error Handling and Failover:**
- Verify robust error handling to manage unexpected conditions during WebRTC sessions without leaking sensitive information.
- Verify the provision of mechanisms for seamless failover in case of peer or network failure.
|
|
Hi @sandrogauci, This sounds really interesting. A few comments:
|
|
hey @tghosth - I hope to start working on this tomorrow. Your comments make total sense - most of our work has been for people implementing the WebRTC protocols themselves but most people will not be doing that and will use some existent SDK which uses some CPaaS. I'll give it further thought, but offhand, such recommendations would be specific to that SDK. Might be too specific for ASVS then? Not sure. With regards to avoiding duplicates with other areas (e.g. Websocket) - definitely. WebRTC in fact doesn't rely on WS, but WS is one of the more common ways to do signalling. Thanks for the tip on high level guidance vs more detailed guidance! Very useful, especially for an ASVS newbie like myself 🙂 |
|
hi @tghosth - we went through our internal documents and came up with the following so far: TURN server
Media
Signalling
Naturally there is more work to be done. Is this the right direction? |
|
Updating my comment as per @tghosth suggestion with some introductory text to make it clear to whom the WebRTC security requirements are especially relevant: General introduction to WebRTC security requirements: WebRTC (Web Real-Time Communication) has become a cornerstone technology for enabling real-time voice, video, and data communication in web applications. As the adoption of WebRTC grows across various sectors, it is imperative to ensure that security measures are integrated into these implementations. Here we aim to provide comprehensive security requirements tailored to the needs of different stakeholders involved in the WebRTC ecosystem. The WebRTC market can be broadly categorized into three segments:
The security requirements outlined here are primarily focused on Product Developers, CPaaS and Service Providers who:
It is important to note that these security requirements do not apply to developers who exclusively use SDKs and APIs provided by CPaaS vendors. For such developers, the CPaaS providers are typically responsible for most of the underlying security concerns within their platforms, and a generic security standard like ASVS may not fully address their needs. TURN serverTURN (Traversal Using Relays around NAT) servers play a crucial role in WebRTC applications by facilitating peer-to-peer connections in challenging network environments. However, they can also introduce security risks if not properly configured and secured. These requirements only apply to systems that host TURN servers as part of their WebRTC infrastructure. Requirements:
Media handlingMedia security is paramount in WebRTC applications, as it directly impacts the confidentiality, integrity and availability of audio and video communications. By addressing these security concerns, developers can safeguard the media streams in WebRTC applications, preventing eavesdropping, tampering, and denial-of-service attacks that could compromise user privacy and communication quality. Requirements:
SignallingSignaling is a critical component of WebRTC applications, responsible for coordinating communication sessions between peers. The security of the signaling process is essential to prevent unauthorized access, eavesdropping, and service disruptions. Requirements:
|
|
Hi @sandrogauci, this is looking really good :) A few queries:
This feels like a basic TLS thing, do you think it is necessary to mention it?
What is the action here? To configure the media server with strong cipher suites? Can you reword to focus on the action?
Is there a specific mechanism we could mention which helps to prevent this?
Is there a specific mechanism we could mention which helps to prevent this?
Could this be merged with the above?
What would it use to handle these? Input validation?
Again, it would be good to mention the basic mechanisms or techniques which would prevent these, e.g. input validation, rate limiting. |
|
Hi @tghosth thanks for the excellent feedback and the direction. I'll first answer your questions and then update my previous suggestions according to your feedback.
it's indeed a valid question. While DTLS is essentially an extension of TLS for UDP, its application in WebRTC introduces unique security concerns that differ from traditional TLS:
For more some details, refer to the Introduction to WebRTC and DTLS for Security Professionals. Also this is coming from having seen the following case: Slack DTLS uses a private key that is in the public domain, which may lead to SRTP stream hijack Then:
regarding your suggestion to merge the SRTP packet handling with recording mechanism checks:
Given the above, do you think we should keep them separate or merge them? I have updated the previous notes/suggested requirements and tried to have a course of action in each of them as you suggested. Is this what you had in mind? TURN server
Media handling
Signalling
|
|
Ok so happy to keep the DTLS private key requirement with the additional explanation and to keep the SRTP packet handling requirements separate. Do you want to PR your requirements into this file in this branch. I will have some further tweaks but I'd rather do them as part of the PR review. |
Excellent, I'll include that in.
Will do that, probably towards the end of this week.
That is great - thanks for the help and assistance! |
* WebRTC: first commit based on content in issue #1612 (comment) * add control objective title * update references add relevant RFCs fix title * add link to clienthello DoS blog post * update levels according to criteria in the details below - signalling 53.3.2 set to l2 based on 5.4.3 - media 53.2.7 set to l2 based on 5.4.3 - targeted application DoS issues (i.e., 53.1.2, 53.2.3, 53.2.5, 53.2.6 and 53.3.1) set to l2 since they are usually targeted attacks - 53.2.2 level based on 9.4.1 * fix markdown according to markdownlint-cli
|
Thanks @sandrogauci, I think the levels will all be finalised at the end anyway. I made some tweaks and some comments here, please could you take a look :) |
* WebRTC: first commit based on content in issue #1612 (comment) * add control objective title * update references add relevant RFCs fix title * add link to clienthello DoS blog post * update levels according to criteria in the details below - signalling 53.3.2 set to l2 based on 5.4.3 - media 53.2.7 set to l2 based on 5.4.3 - targeted application DoS issues (i.e., 53.1.2, 53.2.3, 53.2.5, 53.2.6 and 53.3.1) set to l2 since they are usually targeted attacks - 53.2.2 level based on 9.4.1 * fix markdown according to markdownlint-cli
|
This was merged in with #2008. I will close this issue for now! Thanks @sandrogauci!!! |
Many thanks to you too and anyone who contributed! I have opened #2032 because there was a small mistake introduced in one of the last commits that slipped us. |
|
Oops, thanks |
I noticed that there is a dedicated subcategory for WebSocket security, but not for WebRTC (Web Real-Time Communication). Given the growing adoption of WebRTC in modern applications for audio, video, and data communication, I believe it is essential to address its security considerations within the ASVS.
I would like to propose the addition of a new subcategory specifically for WebRTC security. This subcategory could include items such as:
I can write them in the ASVS style after we confirm what requirements we want to add.
Also, there are some good write-ups that we can extract valuable checks out of them such as this one ($3,500 was paid as bounty by Slack):
Inclusion of these items and potentially others would significantly benefit the community by raising awareness and providing guidance on securing WebRTC implementations.
The text was updated successfully, but these errors were encountered: