briefing icon indicating copy to clipboard operation
briefing copied to clipboard
verified publisher icon holtwick

Password protection and additional E2E encryption layer

Open holtwick opened this issue 5 years ago • 5 comments

Scenario

Somebody guesses the room name and can listen or manipulate the conversation.

Solution

  1. When creating a new room it has to be flagged as either public or private
  2. If private the clients have to negotiate via WebRTC if they trust each other, usually by proving to know a common secret

Discussion

  • What happens if the signaling server is compromised?
  • Prevent brute force attacks

holtwick avatar Apr 05 '20 07:04 holtwick

Depends on #16

holtwick avatar Apr 06 '20 15:04 holtwick

Check against German BSI Video Conf Compendium

holtwick avatar Apr 14 '20 18:04 holtwick

Comments about security concerns of WebRTC and E2EE: https://news.ycombinator.com/item?id=23523830#23524987

holtwick avatar Jun 15 '20 08:06 holtwick

The main goal was achieved by implementing #55 If somebody like to to fund this feature, I'll add it. Otherwise I don't think it is super important any more. In case I would implement it, I would not store anything on the signal server but instead already encrypt any communication that goes through the signal server as well.

holtwick avatar Jun 19 '20 15:06 holtwick

https://saltyrtc.org/pages/why-saltyrtc.html

holtwick avatar Dec 21 '20 09:12 holtwick