Opened 5 years ago
Last modified 4 months ago
#1338 assigned enhancement
html mode WebRTC transport
| Reported by: | JAremko | Owned by: | Antoine Martin |
|---|---|---|---|
| Priority: | major | Milestone: | future |
| Component: | html5 | Version: | trunk |
| Keywords: | WebRTC AES html | Cc: |
Description
Xpra html mode works over HTTP so it uses plain text URL. It means that a password and AES key can easily be intercepted. But we can use WebRTC transport with or without signaling server.
Change History (8)
comment:1 Changed 5 years ago by
| Component: | android → html5 |
|---|---|
| Type: | defect → enhancement |
comment:2 follow-up: 3 Changed 5 years ago by
| Milestone: | 1.0 → future |
|---|
comment:3 Changed 5 years ago by
Replying to antoine:
You can use https / wss if you wish..
Using webrtc does not secure things: without a key exchange (or certificate authorities like ssl), your connection is still vulnerable to MITM.
Hm. Doesn't WebRTC without tls (https) provide DTLS https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security ?
I was thinking that if both client and server have access to signed wss signaling server they can establish secure direct connection. Or they can use other secure channels for the "manual" handshake like internet messengers. it wouldn't require fiddling with self signed certificates on the xpra server to use https.
comment:4 follow-up: 5 Changed 5 years ago by
You've just pushed the "CA's responsability" to a signaling server...
I'm really not keen on the complexity this would bring but will gladly take patches to implement it.
comment:5 Changed 5 years ago by
Replying to antoine:
You've just pushed the "CA's responsability" to a signaling server...
I'm really not keen on the complexity this would bring but will gladly take patches to implement it.
Ok I understand. Thank you for response.
I just don't want to use self signed certificates for tls, but without it this is in no way secure.
comment:6 Changed 4 years ago by
FYI: in the latest releases, the HTML5 client can do HMAC authentication without sending any credentials in plain text to the server. (just the HMAC)
See also #1590
comment:7 Changed 6 months ago by
| Status: | new → assigned |
|---|
Talks of webrtc:
- mailing list : Xpra Implement WebRTC?
- html5 client: ticket:2165#comment:4
- html5 video: ticket:1463#comment:2
Could be useful for audio and video mode, if we can manage dropped packets and re-transmits (see WebRTC AudioProcessing)
In python:
- SO: WebRTC Python implementation : aiortc (asyncio based)
- fullstackpython webrtc
See also #2942 (RTP)
See also WebRTC/Chromium Updates In 2020.
comment:8 Changed 4 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1338
copyleft 2010 - 2021
You can use https / wss if you wish..
Using webrtc does not secure things: without a key exchange (or certificate authorities like ssl), your connection is still vulnerable to MITM.
The webrtc stuff could be useful for exporting the webcam back to the server, but apart from that I'm not sure it does anything useful for us.