WebRTC is an API definition by the World Wide Web Consortium (W3C) which obtained a high popularity among browser-to-browser applications. One of the core reasons for that popularity is the simplicity it provides to set up a peer-to-peer connection. Although it is often mainly used for audio and video communication, there is also a Data Channel that allows arbitrary bidirectional data transfers between two peers. Datagram Transport Layer Security (DTLS), which is based on Transport Layer Security (TLS), is being used as WebRTC's security layer.
In the recent past, plenty of vulnerabilities in TLS have been revealed and it is reasonable to assume that there are more to come. In addition, WebRTC API users have no control over the key pair generation, nor how the public keys are being exchanged between the peers. However, even more problematic is that WebRTC requires an implementation of a Signalling Channel to exchange metadata that is required to set up a peer-to-peer connection. This metadata already contains security-relevant information that no third party should be able to read or modify, unless it is absolutely necessary for the use case.
This work presents a solution that uses the Networking and Cryptography library (NaCl) to provide another security layer for WebRTC Data Channels and a secure implementation of the Signalling Channel. The developed software collection is called SaltyRTC and will be released on GitHub soon.
Thanks to the guys at Threema who let me fiddle around with WebRTC freely and gave me the possibility to create a Threema Web Client prototype.
The described SaltyRTC protocol has since been carefully improved and is now officially specified here.