webrtchacks
True End-to-End Encryption with WebRTC Insertable Streams
A couple of weeks ago, the Chrome team announced an interesting Intent to Experiment on the blink-dev list about an API to do some custom processing on top of WebRTC. The intent comes with an explainer document written by Harald Alvestrand which shows the basic API usage. As I mentioned in my last post, this is the […]
The post True End-to-End Encryption with WebRTC Insertable Streams appeared first on webrtcHacks.
Accelerated Computer Vision inside a WebRTC Media Server with Intel OWT
WebRTC has made getting and sending real time video streams (mostly) easy. The next step is doing something with them, and machine learning lets us have some fun with those streams. Last month I showed how to run Computer Vision (CV) locally in the browser. As I mentioned there, local is nice, but sometimes more performance […]
The post Accelerated Computer Vision inside a WebRTC Media Server with Intel OWT appeared first on webrtcHacks.
Does your video call have End-to-End Encryption? Probably not..
Time for another opinionated post. This time on… end-to-end encryption (e2ee). Zoom apparently claims it supports e2ee while it can not satisfy that promise. Is WebRTC any better? Zoom does not have End to End Encryption Let’s get to the bottom of things fast: Boo Zoom! I reviewed how Zoom’s implements their web client last […]
The post Does your video call have End-to-End Encryption? Probably not.. appeared first on webrtcHacks.
Stop touching your face using a browser and TensorFlow.js
Don’t touch your face! To prevent the spread of disease, health bodies recommend not touching your face with unwashed hands. This is easier said than done if you are sitting in front of a computer for hours. I wondered, is this a problem that can be solved with a browser? We have a number of […]
The post Stop touching your face using a browser and TensorFlow.js appeared first on webrtcHacks.
Private Home Surveillance with the WebRTC DataChannel (Ivelin Ivanov)
When most people think of WebRTC they think of video communications. Similarly, home surveillance is usually associated with video streaming. That’s why I was surprised to hear about a home security project that leverages WebRTC not for video streaming, but for the DataChannel. WebRTC’s DataChannel might not demo as well as a video call, but […]
The post Private Home Surveillance with the WebRTC DataChannel (Ivelin Ivanov) appeared first on webrtcHacks.
Not a Guide to SDP Munging
SDP has been a frequent topic, both here on webrtcHacks as well as in the discussion about the standard itself. Modifying the SDP in arcane ways is referred to as SDP munging. This post gives an introduction into what SDP munging is, why its done and why it should not be done. This is not […]
The post Not a Guide to SDP Munging appeared first on webrtcHacks.
Is everyone switching to Unified Plan?
Review of Chrome's migration to WebRTC's Unified Plan, how false metrics may have misguided this effort, and what that means moving forward.
Continue reading Is everyone switching to Unified Plan? at webrtcHacks.
and the WebRTC Open Source Popularity Contest Winner is…
An analysis of the most popular open-source WebRTC repos on GitHub with a review of how WebRTC itself is doing there.
Continue reading and the WebRTC Open Source Popularity Contest Winner is… at webrtcHacks.
The WhatsApp RTCP exploit – what might have happened?
As you may have heard, Whatsapp discovered a security issue in their client which was actively exploited in the wild. The exploit did not require the target to pick up the call which is really scary.
Since there are not many facts to go on, lets do some tea reading…
The security advisory issued by Facebook says
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
Continue reading The WhatsApp RTCP exploit – what might have happened? at webrtcHacks.
Bisecting Browser Bugs (Arne Georg Gisnås Gleditsch)
When running WebRTC at scale, you end up hitting issues and frequent regressions. Being able to quickly identify what exactly broke is key to either preventing a regression from landing in Chrome Stable or adapting your own code to avoid the problem. Chrome’s bisect-builds.py tool makes this process much easier than you would suspect. Arne from appear.in gives you an example of how he used this to workaround an issue that came up recently.
{“editor”, “Philipp Hancke“}
In this post I am going to provide a blow-by-blow account of how a change to Chrome triggered a bug in appear.in and how we went about determining exactly what that change was.
Continue reading Bisecting Browser Bugs (Arne Georg Gisnås Gleditsch) at webrtcHacks.
Finding the Warts in WebAssembly+WebRTC
A while ago we looked at how Zoom was avoiding WebRTC by using WebAssembly to ship their own audio and video codecs instead of using the ones built into the browser’s WebRTC. I found an interesting branch in Google’s main (and sadly mostly abandoned) WebRTC sample application apprtc this past January. The branch is named wartc… a name which is going to stick as warts!
The repo contains a number of experiments related to compiling the webrtc.org library as WebAssembly and evaluating the performance.
Continue reading Finding the Warts in WebAssembly+WebRTC at webrtcHacks.
How Janus Battled libFuzzer and Won (Alessandro Toppi)
Thanks to work initiated by Google Project Zero, fuzzing has become a popular topic within WebRTC since late last year. It was clear WebRTC was lacking in this area. However, the community has shown its strength by giving this topic an immense amount of focus and resolving many issues. In a previous post, we showed how to break the Janus Server RTCP parser. The Meetecho team behind Janus did not take that lightly. They got to the bottom of what turned out to be quite a big project.
Continue reading How Janus Battled libFuzzer and Won (Alessandro Toppi) at webrtcHacks.
Lets get better at fuzzing in 2019 – here’s how
Tribbles Startrek GIF from Tribbles GIFs
Fuzzing is a Quality Assurance and security testing technique that provides unexpected, often random data to a program input to try to break it. Natalie Silvanovich from Google’s Project Zero team has had quite some fun fuzzing various different RTP implementations recently.
She found vulnerabilities in:
- WebRTC — mostly issues in the RTP payload
- Facetime – a few out-of-bounds, stack corruption, and heap corruption issues
- Whatsapp and what didn’t work
In a nutshell, she found a bunch of vulnerabilities just by throwing unexpected input at parsers.
Continue reading Lets get better at fuzzing in 2019 – here’s how at webrtcHacks.
How Zoom’s web client avoids using WebRTC
Zoom has a web client that allows a participant to join meetings without downloading their app. Chris Koehncke was excited to see how this worked (watch him at the upcoming KrankyGeek event!) so we gave it a try. It worked, removing the download barrier. The quality was acceptable and we had a good chat for half an hour.
Opening chrome://webrtc-internals showed only getUserMedia being used for accessing camera and microphone but no RTCPeerConnection like a WebRTC call should have.
Continue reading How Zoom’s web client avoids using WebRTC at webrtcHacks.