You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@openmeetings.apache.org by "seba.wagner@gmail.com" <se...@gmail.com> on 2020/04/13 21:04:52 UTC

Security WebRTC and Kurento

Hi,

we are promoting usage of Kurento out of the box. We use HTTPS and wss.

That secures the transport layer.

As well as there might be something we can do with Content Security Policy
and same origin principle (although this may not really apply in a
clustered scenario).

But I don't quite understand if and how it would for instance prevent
somebody from another application connect to our Media Server. And using it
as an open relay. Kurento wouldn't block it would it?

I understand this would probably require some modifications on Kurento side
too, to block un-authorised users. Kurento Security just refers to
transport layer security again:
https://doc-kurento.readthedocs.io/en/stable/features/security.html

Which could be my misunderstanding, but it seems there is something missing.

Thanks,
Seb
-- 
Sebastian Wagner
https://twitter.com/#!/dead_lock
seba.wagner@gmail.com

Re: Security WebRTC and Kurento

Posted by Maxim Solodovnik <so...@gmail.com>.

Hello Sebastian,

On Tue, 14 Apr 2020 at 04:05, seba.wagner@gmail.com <se...@gmail.com>
wrote:

> Hi,
>
> we are promoting usage of Kurento out of the box. We use HTTPS and wss.
>
> That secures the transport layer.
>
> As well as there might be something we can do with Content Security Policy
> and same origin principle (although this may not really apply in a
> clustered scenario).
>

Should be done
(and should work in clustered environment)


>
> But I don't quite understand if and how it would for instance prevent
> somebody from another application connect to our Media Server. And using it
> as an open relay. Kurento wouldn't block it would it?
>

 Actually this code
https://github.com/apache/openmeetings/blob/master/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/KurentoHandler.java#L388
will drop any connection/endpoint/stream creation attempt
(and according to https://issues.apache.org/jira/browse/OPENMEETINGS-2168
it works :)))

>
> I understand this would probably require some modifications on Kurento side
> too, to block un-authorised users. Kurento Security just refers to
> transport layer security again:
> https://doc-kurento.readthedocs.io/en/stable/features/security.html
>
>
Yes this is something I was unable to set up
(and have no time to investigate ...)


> Which could be my misunderstanding, but it seems there is something
> missing.
>
> Thanks,
> Seb
> --
> Sebastian Wagner
> https://twitter.com/#!/dead_lock
> seba.wagner@gmail.com
>


-- 
Best regards,
Maxim