raed667
commented
8 years ago Thank you for your interest,
indeed the project lacks proper documentation. I will try to fix this over the next week.
There are two levels of crypto in this project:
- The first, as you mentioned is DTLS (Datagram Transport Layer Security) which is basically TLS for WebRTC.
- The second, is an application level public-key crypto based on the new Web Cryptography API which tries to provide both data security and some form of authentication.
I will try to write a coherent documentation that explains what is implemented and future improvements.
dominictarr
could you please document the crypto? it's important to know what security properties you are claiming to provide.
I saw this, which seems significant: https://github.com/RaedsLab/EncryptedWebRTChatter/blob/master/js/serverless-webrtc.js#L9
I'm just reading between the lines here, but I'm guessing that the intention is this relies on webrtc's own encryption, but you provide your own key negioation, which is part of the thing pasted between sessions?
Is it still forward secure? is it man in the middleable, etc?