its advertising that it’s secure e2e even behind firewall/etc but that’s not true because webrtc will fallback to using TURN server to relay when other methods fail which will break the encryption, just fyi.
WebRTC won’t use TURN unless it’s explicitly configured with a TURN server.
Even if it did use a TURN server webrtc is still e2e encrypted.
You need to trust the signalling server though.
This library seems to do a few other things, which maybe reduces the trust in the signalling server, but I didn’t really read it in enough detail to comment on it.
You can pass configuration to disable ICE entirely.
Looks like it's using PeerJS, which defaults to a config of using a Google STUN server and no TURN servers. Not sure if using a STUN server compromises the E2E in some way?
I just didn't want to speculate, as I'm not familiar with the security considerations here.
But, thinking about it a bit, couldn't a compromised STUN server establish a MITM by lying to you about your IP, and then relaying to you? This old HN comment describes it: https://news.ycombinator.com/item?id=11192610
I don't know if this would break the E2EE here (although if it wouldn't, I'm not sure how a TURN server would either, as that's just a baked in MITM).
i was wrong actually, it doesn’t weaken security as long as the data is encrypted either using DLTS or application layer encryption, please ignore my comment lol.
