WebRTC Standards & Implementation Q&A

Amir  Zmora  TheNewDialTone  

Dan  Burne3  StandardsPlay  

Alex  Gouaillard  

WebRTC  by  Dr  Alex  /  Citrix  

Session sponsored by

WebRTC.ventures  is  a  custom  design  and  development  shop  dedicated  to  building  WebRTC  based  applicaFons  for  web  and  mobile.  We  have  built  end-­‐to-­‐end  broadcast  soluFons  for  events  and  entertainment  clients,  telehealth  soluFons  for  mulFple  clients,  live  support  tools,  as  well  as  communicaFon  tools  for  a  variety  of  other  applicaFons.    WebRTC.ventures  is  a  recognized  development  partner  of  TokBox  and  has  also  built  naFve  WebRTC  soluFons    

We use CrowdCast….It’s WebRTC

WebRTCStandards.info  

About Us •  Amir Zmora •  Dan Burnett •  Alex Gouaillard

Screen Capture & Screen Sharing with WebRTC

Screen Sharing in WebRTC •  Is WebRTC plus Screen Capture

•  Screen capture gives you MediaStreamTrack •  WebRTC lets you send it

•  We will talk about the Screen Capture piece

Security in native apps •  If you install it, the app has complete access to your device •  So, choosing not to install is the first level of security

Security in the Web model •  Visiting a site is the "install" •  But visiting a site needs to be safe •  So, the Web uses site origin as security

•  By default, limited access to the device browser runs on •  Also, page has access to JS it loads but no access to JS from other tabs/windows

Problem - API keys in stupid sites

Screen capture breaks web model •  Browser controls allow Site A to do a user View-Source on Site B •  Normally, user can see B's popped up source but A can't read •  But with screen capture, A can read

Nasty scenario •  Site A uses WebRTC with user permission to access camera, screen •  Site A scrapes screen image to see what other tabs/windows user has open in browser •  Site A tracks user's eyes with camera •  When user looks away, Site A does view-source on a tab, scrapes the screen, closes

view-source window

WebRTC Screen Capture standard

•  http://w3c.github.io/mediacapture-screen-share/

•  Still very new

navigator.mediaDevices.getDisplayMedia({ video: true }) .then(stream => { // we have a stream, attach it to a feedback video element videoElement.srcObject = stream; }, error => { console.log("Unable to acquire screen capture", error); });

Protections in the standard •  By default no viewing of other tabs or other browser windows, even in other browser apps

(e.g., Chrome app can't see FF browser) •  Requirement for explicit, elevated permissions in order to view these since one app could

control what is presented on the others •  In practice,

•  Permissions will probably be a form of whitelist similar to what FF uses today •  Likely no way for WebRTC apps to get exemptions in advance

Screen Sharing with Chrome

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    GUM  JS  API  

(tab/sandbox)  

1.  Send  request  

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    GUM  JS  API  

(tab/sandbox)  

2.  Check  if  MST  is  already  available  

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    GUM  JS  API  

(tab/sandbox)  

Security  Manager  (source,  origin)  

3.  Check  rights  

2.  Check  if  MST  is  already  available  -­‐  NO  

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    

Audio  Capturer  

Video  Capturer  

Security  Manager  (source,  origin)  

GUM  JS  API  (tab/sandbox)  

4.  Ask  Corresponding  capturer  type  to  start  capturing  

3.  Check  rights  -­‐  OK  

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    

Audio  Capturer  

Video  Capturer  

Security  Manager  (source,  origin)  

A  

GUM  JS  API  (tab/sandbox)  

4.  Ask  Corresponding  capturer  type  to  create  one  -­‐  OK  

V  

5.  Store  the  MST  

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    

Audio  Capturer  

Video  Capturer  

Security  Manager  (source,  origin)  

A  

GUM  JS  API  (tab/sandbox)  

V  

6.  Trigger  callback  

Keep  feeding  frames  

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    

Audio  Capturer  

Video  Capturer  

Security  Manager  (source,  origin)  

A  

GUM  JS  API  (tab/sandbox)  

V  

NOTE  1:  second  call  for  same  device  with  same  constraints  will  directly  return  the  MST,  that  allows  to  share  streams  across  tabs  without  blocking    

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    

Audio  Capturer  

Video  Capturer  

Security  Manager  (source,  origin)  

A  

GUM  JS  API  (tab/sandbox)  

V  

NOTE  2:  Recently,  a  second  call  for  the  same  device  but  with  different  constraints  (think  simulcast)  will  indeed  return  a  different  resoluFon.  Before  it  would  return  the  first  resoluFon  asked.    

Chrome Specific WebRTC Bits

Media  Stream  Manager  (singleton@browser)    

Audio  Capturer  

Video  Capturer  

Security  Manager  (source,  origin)  

A  

GUM  JS  API  (tab/sandbox)  

V  

NOTE  3:  Not  only  this  allow  to  share  cams  across  processes,  it  allows  for  global  echo  cancellaFon  (yes,  including  the  key  strokes).  Before  tabs  could  cross  feed.    

Chrome Screensharing 2 steps (1)

Media  Stream  Manager  (singleton@browser)    

Screen/Windows/Tab  Capturer  

Security  Manager  (source,  origin)  

Screensharing  (extension)  

1  2  

3  4  

S  5  

Chrome Screensharing 2 steps (2)

Media  Stream  Manager  (singleton@browser)    

Screen/Windows/Tab  Capturer  

S  

GUM  JS  API  (tab/sandbox)  

With  ID  

Screen Sharing with Firefox

Firefox •  Whitelisting (wiki.mozilla.org/Screensharing)

•  Manual •  Hardcoded •  Extension

Firefox •  Whitelisting - Manual

•  Manual •  Hardcoded •  Extension

Firefox •  Whitelisting - Manual

•  Manual •  Hardcoded •  Extension

Firefox •  Whitelisting (wiki.mozilla.org/Screensharing)

•  Hardcoded ⇒ open a bug! ⇒ Attack surface?

Firefox

•  webex.com,*.webex.com,ciscospark.com,*.ciscospark.com,projectsquared.com,*.projectsquared.com,

•  *.room.co,room.co,

•  beta.talky.io,talky.io,

•  *.clearslide.com,

•  appear.in,*.appear.in,

•  tokbox.com,*.tokbox.com, *.opentok.com,

•  *.sso.francetelecom.fr,*.si.francetelecom.fr,*.sso.infra.ftgroup,*.multimedia-conference.orange-business.com,*.espacecollaboration.orange-business.com,

•  example.com,

•  *.mypurecloud.com,*.mypurecloud.com.au,

•  spreed.me,*.spreed.me,*.spreed.com,

•  air.mozilla.org,

•  *.circuit.com,*.yourcircuit.com,circuit.siemens.com,yourcircuit.siemens.com,circuitsandbox.net,*.unify.com,tandi.circuitsandbox.net,

•  *.ericsson.net,*.cct.ericsson.net,

•  *.conf.meetecho.com,

•  meet.jit.si,*.meet.jit.si,

•  web.stage.speakeasyapp.net,web.speakeasyapp.net,

•  *.hipchat.me,

•  *.beta-wspbx.com,*.wspbx.com,

•  *.unifiedcloudit.com,

•  *.smartboxuc.com,

•  *.smartbox-uc.com,

•  *.panterranetworks.com,

•  pexipdemo.com,

•  *.pexipdemo.com,pex.me,*.pex.me,*.rd.pexip.com,

•  1click.io,*.1click.io,

•  *.fuze.com,*.fuzemeeting.com,

•  *.thinkingphones.com,

•  free.gotomeeting.com,g2m.me,*.g2m.me,gotomeeting.com,*.gotomeeting.com,gotowebinar.com,*.gotowebinar.com,gototraining.com,*.gototraining.com,citrix.com,*.citrix.com,expertcity.com,*.expertcity.com,citrixonline.com,*.citrixonline.com,g2m.me,*.g2m.me,gotomeet.me,*.gotomeet.me,gotomeet.at,*.gotomeet.at

Both Firefox and Chrome •  FF-Whitelisting – Extension / addOn •  Cr – Extension See e.g. here: Blog - https://tokbox.com/developer/guides/screen-sharing/js/

Code - https://github.com/opentok/screensharing-extensions

?

Thank You

Amir  Zmora  TheNewDialTone  

Dan  Burne3  StandardsPlay  

Alex  Gouaillard  WebRTC  by  Dr  Alex