Mitm Attack on WebRtc - javascript

i have a problem. I've developed a web-app using WebRtc for one-to-one videocall via browser using WebRtc with signalling server on node js (listening e.g. on 8181 port).
Now i would implement MITM attack. I was thinking that, wheen Peer_1 should invoke two rtc peer connection, one for the second peer (Peer_2), one to the MITM. The same thing for the second peer.
Now, i was thinking that signalling server needs to listen on another port, for each rtc peer connection received from the two peers (e.g. 8282 for Peer_1 and 8383 for Peer_2).
Am i right? I think that because signalling server's implementation is to one-to-one communication.
In this way, signalling server on port 8181 allows end-to-end communication for Peer_1 and Peer_2, on 8282 there is the signalling path for Peer_1 and the MITM, and on 8383 for MITM and Peer_2.
Am i right or not? Thanks for the support.

Man in the middle refers to interception during transmission, which WebRTC itself is secured against using DTLS and key exchange, so the weak point is usually the signaling server chosen by an application instead.
But what you describe however sounds like Man on both ends. You have to trust the service (the server) to guarantee whom you're being connected to. If that server is compromised, or either client is compromised - say by injection - then there's no guarantee whom you're talking to, since a client can easily forward a transmission to another party.

Related

Is it possible to make p2p chat using javascript without server?

Recently i've been choosen as backend lider for course on my studies. We are suppossed to write BE for chat app that will allow users to communicate p2p without any server code (i know it means that there's no BE, but my proffessor isn't technical person). I've asked him if it could use webrtc, but he didn't like the idea of using STUN and TURN servers. So my main question is, is this possible at all? We are talking about an app that will run in browser, not directly in OS. And if it is, what protocols/apis can we use to achieve that?
I am not sure if I get your question right, so here are some general informations:
WebRTC as a P2P API relies heavily on servers.
"ICE":
To connect one Peer to the other Peer, the peers need to know their IP address to exchange data. They can "ask" their OS for the registered IP, but this will only yield 127.0.0.1 and their local Network IP. This works for connections on the same computer or between computers in the same local network, but it will fail for everything else.
The ICE Servers STUN and TURN are necessary, since your browser clients are behind your Routers Network Address Translation (NAT). STUN gets the NATs IP Address and Port and TURN forwards Packets as a known, public IP Address if STUN fails.
"Signaling":
Let's assume, that your Peers know their own reachable IP-Addresses (- probably the NATs IP and Port by using STUN and maybe even TURN). Even IF (!) they know their reachable IP, they have to tell the other Peer that this IP is in fact, their IP and the IP to use to contact them. They also have to tell the other Peer some other technical information to make the transmission of data work. To use WebRTC, you need to have a WebSocket-Server (or a combination of Server-Sent-Events and HTTP Post Messages), which forward this information.
After everything is established (they know their respective IPs and Ports, technical information, etc.), you can then send data over WebRTCs DataChannels.
My Advice:
Do not use WebRTC for the given use case. If you do not want to use a Backend-Server, you have to search for "serverless" Web-Apps. P2P will always rely on some sort of server to start the connection. If you use a "serverless" architecture, someone else is hosting the server / chat service you want to use (also commonly referred as "cloud based"). If it is about hosting costs for a prototype app, you may have a look at heroku.com, aws.amazon.com, zeit.co, firebase.google.com or other hosting providers with free, limited (test) plans.

WebRTC Receive-only Video without TURN

I'm trying to set up a cost-effective home security camera site where I can login and view the stream with very low latency. WebRTC seemed like a great solution to get very low latency and keep the connection peer to peer.
I am looking to view this from a mobile device and as a client device I am often behind a symmetric NAT. Since I know the static public IP the camera is behind and control that network I believe I should be able to create a peer connection for video without the need for a turn server I am struggling to figure out how to manage the ICE portion in this case. When I try to connect with just STUN video does not work.
Given my control of the serving peer's network, should this be possible without TURN? If so is there a way for me to sidestep/implement ICE to establish video with my known server peer IP and configuration? Or is there a better technology to use altogether that would allow very low latency?
Knowing the IP address of the camera isn't going to help you any. Since you are dealing with a symmetric NAT, the NAT device is going to bind every IP:port from inside the network reaching to an IP:port in the external network.
This means that if you pin-hole the data via a STUN server, the NAT device won't be impressed enough by that feat to let you connect into the internal network from any other machine other than that STUN server.
Which leads to the fact that you'll probably need a TURN server...
That said, you might have some issues with how you've set up the STUN server and its configuration.
An easy and rather cheap approach can be to use Twilio NAT traversal service - https://www.twilio.com/stun-turn

How to establish peer connection in web app using coturn (stun/turn) server

I'm building a web app for cam broadcasting. I'm using Django for web app and coturn as (STUN/TURN) signalling server. My goal is to do it with WebRTC.
I don't know how to connect a peer to the signalling server in order to be reachable by other peer. So what I need to know is how to stablish "PeerConnection".
In web application, I have all I need (I think): user.id, shared secret, signalling server IP and port, ... But I don't know how to mix it in HTML JS scripts to connect with coturn server.
I've read coturn server docs and searched for some examples but can't find examples for this part.
Can anybody show me an a example?
I think you are bit confused, coturn is not a signalling server, it is a TURN/ STUN server.
Signalling server is something though which you exchange sdp, ice candidates and other data between the peers before they get a direct peer to peer connection, coturn does not do that.
I cannot explain all the bits, but gist is STUN is used for providing public IP of a peer, and TURN is used for a proxy point for transmitting and receving data from a peer when it cannot be directly accessed, and in most cases all you require is a STUN server. The only time they get involved in your WebRTC application is when you create the PeerConnection object, you pass the STUN/TURN server details in the config object, example:
let pc = new RTCPeerConnection({
"iceServers": [
{"urls": "stun:example.com"}, // STUN Server address
{"urls": "turn:example.com", "credential": "test", "username": "test"} // TURN Server address
]
});
So as I understand I will not need to use coturn, just one signalling server like SignalMaster or any other like it. Am I wrong?
You still might need coTurn or any other STUN/TURN server to achieve peer-to-peer or relay connection when host-host connection is not possible. STUN/TURN is required for ICE to have server-reflexive and relayed candidates to perform ICE and guarantee the connectivity.
WebRTC works as offer-answer model, so you need some kind of signalling method like SIP/Jingle or another signalling mechanism to exchange the SDP between two party. You may use some third party solution above of WebRTC implementation or you can write your own simple signalling stack.

Establish connection with WebSocket

I begin with this technology. I want to establish a TCP/IP connection with an electronic card that has an IP address (the server's map).
I wonder if the WebSocket allow me to make this connection, knowing that at present my interface communicates with the card through a socket implanted in an applet.
Does anyone know the syntax to connect with WebSocket as a parameter an IP address: 135.120.138.105
Thank you
WebSockets are not raw TCP sockets. They have many of the same characteristics (low overhead, persistent, bidirectional, full-duplex) as raw TCP sockets, but they have an initial HTTP-like handshake to implement CORS security and allow easier integration with web servers and existing firewall policies. WebSockets are also message based and have a small header on each frame (2 bytes overhead for small payloads).
You have a couple of options. You can use a program that bridges/proxies between WebSockets and raw TCP sockets such websockify (Disclaimer: I made websockify) or you can implement the server side of the WebSocket protocol in your server.
WebSockets won't work in your case. While they use TCP/IP, WebSockets have a different API that's designed for higher-level messages to be passed between server and client and it requires support on the server as well, so unless the card contains a WebSocket-enabled web server I think you're out of luck and you'll have to continue with your applet-based design.

Can you connect client to client via web sockets without touching the server?

I don't quite know how to search this in google:
"client to client websocket connections"
"browser to browser websockets"
"websockets without a server"
Haha, is there a way for someone on a webpage in the browser to communicate directly to another person on a web page in the browser, without touching the server?
I am very familiar with socket.io, but that requires all clients emit messages to the server, which can broadcast them to the other connected clients. I am not familiar with the details of web sockets though, so maybe there's a way to communicate without sending messages through the server.
Is this possible? I just want to know the scope of web socket functionality, the limits you can take them too, etc.
Not Web Sockets, but four years later and now we've got browser-to-browser communication!
http://www.webrtc.org/
There are JS libraries built around it to make it easier (e.g. https://simplewebrtc.com/). However, it does still require a server to orchestrate connections.
I know this question is ancient, but it showed up in Google when I searched so it likely will for others!
This is not possible, you have to have the server in the middle.
For an application to accept connections, it has to have a server port open and listening for incoming requests. You cannot have a server socket exposed from a browser. I dont know if you can expose a server socket from within an applet. But even if you could, you would need to know the IP address of the other client for establishing a peer to peer connection.
Well, technically when you broadcast, the client emits to the server, the server broadcasts to everyone. I don't think with the current architecture of the web peer to peer connections like this is possible.
But it is possible that a client send a message to server specifying another client ID, and the server sending it to the other clients using sessions.
The moment you have a client listening for websockets (which you have to do in other to communicate), it becomes a server.

Categories