In our previous post, we discussed the reasons why StormFree chose to use Web Real-Time Communication (WebRTC) to support our VoIP application. Now we share how we are using it.
WebRTC is a free and open-source technology which enables web browsers and mobile applications to use real-time communication. While this standard provides peer-to-peer (P2P) connectivity by default, we wanted to use it with a server in between peers, as this allows organizations to have a central point of control over their communications. This central server is useful for providing call analytics, allowing administrators to keep track of how and when users are connecting with each other. This type of implementation is of course intended for enterprises, and not for private, personal use.
By default, WebRTC will connect users directly to each other, but sometimes network conditions prevent this from happening. When this is the case, WebRTC will "fall back" to the use of a TURN (Traversal Using Relays around NAT) or STUN (Session Traversal Utilities for NAT) server to conduct the signaling process. Signaling is the process that allows users to discover the network conditions of the other user so that they can establish a stable connection through which communication data can be exchanged. In its default implementation, WebRTC will use Google's TURN or STUN servers to conduct this process, which is a concern for users who want to preserve their privacy.
Coturn is a free and open-source implementation of a TURN and STUN server which can be used to alleviate these privacy concerns in a WebRTC deployment. StormFree has opted to use a Coturn server in our deployment for this reason. Through client-side modifications, our VoIP application will always default to Coturn, foregoing the usual P2P connectivity inherent in WebRTC. This means that the Coturn server is always used to relay the traffic between clients, allowing us to track data usage for billing.
The use of Coturn does not impact the security of the WebRTC connection, which is allowed to maintain its end-to-end encryption. This is because Coturn and other TURN servers like it only need to parse the User Datagram Protocol (UDP) layer of a data packet in order to relay it between two peers. The server cannot understand or modify any of the application data layer, which is where the real-time data is transmitted. This prevents the Coturn server from compromising the data stream, so even if an attacker gained access to the server they would be unable to eavesdrop on users' calls.
WebRTC's easy integration with other applications has made it possible for StormFree to embed VoIP functionality into our secure chat application. This means that users can seamlessly launch VoIP calls directly from their existing chat conversations without manually switching to a different application. With WebRTC's robust built-in protections, this implementation satisfies StormFree's ultimate goal of preserving security and privacy for all users.