1

I'd like to build a file transfer application with end-to-end encryption similar to magic-wormhole or croc using RTCDataChannels (WebRTC).

Is it possible to perform mutual authentication by validating peer certificates with Web APIs? The idea is to prevent man-in-the-middle attacks by comparing the certificate (or certificate fingerprint) with a value negotiated out-of-band.

There is apparently a getRemoteCertificates and a RTCCertificate interface which should enable access of the remote certificate fingerprint. Also, While looking for solutions, I found a comment related to an old draft of WebRTC. However, I am not sure how an Identity Provider is related to that.

WebRTC implementations must check certificates to be secure. This is covered in section 8.3.5 of the W3C draft: Waiting for all DTLS connections to be establishes and checking that the certificate fingerprints on all connections matches the one provided by the IdP.

Finally, is this a good approach or is it preferred to add another application security layer for authentication?

DurandA
  • 1,095
  • 1
  • 17
  • 35

1 Answers1

3

This sounds sane to me!

getRemoteCertificates isn't available everywhere unfortunately so that might make it harder. However, you can pull this directly from the SessionDescription! Look for a=fingerprint, it can be either at the media level or global.

I don't know if it makes it easier, but if you control all the clients you can also provide your own certificate! The RTCPeerConnection constructor allows users to pass their own certificates. Then you don't have to worry about MITM at all.

gfile might serve as good inspiration also. It implements file transfer via RTCDataChannels.

Sean DuBois
  • 3,972
  • 1
  • 11
  • 22
  • Thanks for your answer and the excellent Pion lib. Why do you think that providing peers' own certificates would prevent MITM? – DurandA Mar 30 '20 at 07:41
  • I would use the same certificate on both sides. When they do the handshake they should then confirm they both have the same exact fingerprint. Since both peers are the ONLY people who access to the certificate in question that would confirm you are connected to the only other person with the certificate in question! – Sean DuBois Mar 31 '20 at 04:38
  • That would defeat the end-to-end encryption as the signalling server would generate the private key. Also I don't think it can technically be done as [_RTCCertificate_ interface](https://w3c.github.io/webrtc-pc/#rtccertificate-interface) doesn't expose private slots (it is supposed to be generated internally). – DurandA Mar 31 '20 at 08:41