A WebRTC Security Primer

There are a number of reoccurring themes in my blog articles and security is near the top of the playlist. If you’ve been a long time follower of mine, you’ve read about securing SIP signaling with Transport Layer Security (TLS) and media with Secure Real-Time Protocol (SRTP). I’ve also written extensively about providing intrusion security with session border controllers. Today I want to spend some time on my latest kick – secure WebRTC.

In case you are new to WebRTC, allow me to give you a one paragraph definition. However, I highly recommend that novices read my article, WebRTC for Beginners before tackling this one.

WebRTC is a technology that allows web browsers to send and receive real-time media. With WebRTC, a user can go to a web page and use that web page to make an audio or video call. Media is subsequently sent directly to and from the web browser.

The key word here is directly. There is no requirement that any specialized hardware, such as an SBC, be situated between the web browser and the far-end. One web browser can send and receive real-time video to another web browser across any Internet connection.

Since the Internet is inherently an open, non-secured environment, it is imperative that the all WebRTC traffic be encrypted before it leaves the user’s device. For that, the WebRTC developers have settled on two protocols – DTLS and SRTP.

Datagram Transport Layer Security (DTLS) is used to provide communications privacy for datagram protocols. This fosters a secure signaling channel that cannot be tampered with. In other words, no eavesdropping or message forgery can occur on a DTLS encrypted connection.

DTLS is based on the same principals as its stream oriented counterpart, Transport Layer Security (TLS), and provides the same levels of security. This means that web browsers exchange DTLS handshakes on every voice, video, and data channel. While this handshake (two round-trips) adds some latency to peer-to-peer setup time, it should not be an issue for most connections.

For a companion piece, please see An Introduction to the Opus Codec.

If you’ve worked with SIP for a while, you should be familiar with Secure Real-Time Protocol (SRTP). Like DTLS, SRTP works with unreliable, datagram protocols like UDP. However, DTLS encrypts WebRTC signaling while SRTP deals strictly with media.

SRTP media cannot be decrypted by rogue players thus ensuring that IP communications across an open medium such as the Internet remain private. With SRTP, your WebRTC voice and video traffic will not be heard or seen by unauthorized parties.

The WebRTC specification also offers developers the ability to use Session Description Protocol Security Descriptions (SDES) instead of DTLS, but that seems to be quickly falling out of favor. Google’s Chrome browser no longer supports SDES and Firefox has never offered support for SDES. Both browsers do support DTLS-SRTP and that appears to be the on-going choice.

I mentioned that an SBC is not required for browser-to-browser WebRTC calls. That is most likely not the case with browser-to-PBX communication. In those instances, enterprises will probably want an SBC on their network edge to both protect their network internals and to perform gateway functionality such as WebRTC to SIP.

Mischief Managed

I could certainly go on for quite a bit longer about DTLS-SRTP and WebRTC security, but this should be enough to get you started. The key point is that you don’t sacrifice privacy with WebRTC no matter how open your network connection might be.

Related Articles:

Avaya Named a Leader in Gartner’s Magic Quadrant for Contact Center Infrastructure

Avaya is honored to be recognized as a leader in Gartner’s Magic Quadrant for Contact Center Infrastructure worldwide. Avaya has been the only vendor having the distinction of being named a Leader for 16 consecutive years. Each year the research organization creates a market view of key players for business users, reflecting business goals, needs, and priorities.

Contact centers have gone beyond phone calls with customers now expecting to communicate on their terms via text, IM, email, chat or video. For the past 16 years Avaya has created seamless and highly personalized experiences, building brand loyalty for companies all around the world.

According to Deloitte, 85% of organizations view customer experience provided through contact centers as a competitive differentiator. Todays companies must remain relevant by creating a single interface to connect customers with the correct resource each time, supporting their preferences. Supervisors and managers need real-time performance information to adapt immediately to situations to ensure optimized customer experience.

Avaya has focused its efforts on creating next-generation contact center solutions, creating communication strategies enabling a continuous transition between channels during customer interactions.

Please visit Gartner’s page to read the full report and see how Avaya’s Contact Center infrastructure continues to deliver best-of-breed Contact Center applications. We look forward to continuing innovation and leading business communications for the digital age.


Diligent Benefits Tackles Insurance Industry Customer Experience with Avaya Cloud

Diligent Benefits represents a new breed of financial services provider, armed with innovative technology to deliver a superior experience to consumers researching and purchasing life insurance, with the goal of transforming the life insurance customer experience. To facilitate that personal touch for its customers, they turned to Avaya.

At the core of Diligent’s business model is improving the customer service experience for life insurance buyers. Diligent chose Engagement OnAvaya™ – Google™ Cloud Platform, designed with comprehensive cloud contact center capabilities. The installation helped the company enjoy the following benefits:

  • The requirements are a breeze: Agents only need an Internet connection, Chrome device and a headset or Avaya IP phone. Set up is quick for agents to immediately start using Avaya’s sophisticated customer engagement features.
  • The ability to scale quickly without missing a beat is crucial to the young company. The Avaya solution has proven an ideal fit for this fast-growth financial services company in terms of deployment speed and scalability.
  • The Avaya cloud contact center solution supports Diligent’s highly-individualized approach.

“We’re a fresh new take on the life insurance business. We don’t do one size fits all,” says John Wilhelm, founder of Diligent Benefits. “Everyone has different needs. We help our customer meet their objectives. Avaya is in many ways at the heart of what we’re trying to achieve; it brings the human touch.

“Diligent Benefits is using technology to transform the experience of buying life insurance – from increasing transparency and becoming an educational resource for consumers, down to enhancing the experience each customer has with an agent,” Wilhelm said. “The Avaya solution mirrors our methodology – a commitment to providing a turn-key solution. It’s a complete solution and it’s a great value.”

“An important reason we chose Avaya is we believe Avaya can grow with us,” said William Yuan, Diligent Benefits’ COO. “Avaya will allow us to become a very big company. We help our customer meet their objectives. Avaya enables us to do that well.”

Click here to read the full case study from Avaya.

Toll-Free Text: Let Your Customers’ Thumbs do the Talking

Technology is a lot like the music business. You can be on top of the charts one day and completely irrelevant the next. The public is very fickle, and you must either change with the times or risk falling into the dustbin with yesterday’s news.

How many of you have children between the ages of 14 and 30? If you do, you know that you don’t call them on their cell phones − you text them. In fact, I would venture to guess that voice is the least-used feature on a 20-something’s iPhone or Android device. And don’t get me started on voicemail. I can’t recall the last time any of my three boys ever bothered to listen to the messages I left for them. The best I will get is a text that reads, “Why did you call?” If I am lucky, one of them might put a smiley face at the end, but it doesn’t get any better than that.

You can’t blame them, though. Young people today grew up in a world where the onscreen keyboard was more prominent than the dial pad. They are so good at typing with their thumbs that many don’t even need to look at the screen while they text their 100 or so BFFs (Best Friends Forever) – all at the same time.

It’s more than simply chatting with their friends and family. They expect to take this propensity to type to all aspects of communication. In other words, they don’t want to call businesses with questions or customer support issues. They want to text them, and they will often make buying decisions based on who is willing to text them back.

A Black Eye

Unfortunately, some businesses have given text a bad name. Are you aware of “cramming”? Cramming was the very questionable business practice of charging exorbitantly high text rates that billed consumers millions of dollars for services they didn’t buy. Charges of up to $9.99 would mysteriously show up on monthly statements with no clear explanation as to why they were there.

Thankfully, the FCC stepped in and since January 2014, these premium text services have been prohibited by law. No longer can large telecommunications companies foist these charges on unsuspecting consumers.

Toll-Free Text

Direct-dial 800 numbers have been around since the mid-1960s and consumers have come to expect free calls day and night. This winning strategy essentially gives a company an “Open for Business” sign that extends across the country.

What do you do with this new generation of consumers who are ready, willing and able to spend money on products and services, but have no desire to call someone to buy them? You could, of course, ignore them, but that’s not much of a business strategy. Instead, you wholeheartedly embrace their communication choice and wrap that “Open for Business” sign around SMS texting.

This is where toll-free text comes in. Like those direct-dial 800 numbers, toll-free texting takes cost out of the connection equation and puts voice and text on an equal footing. Customers no longer have to worry about unknown or hidden fees and can choose how they want to transact their business.

Now, some of you might be sitting back and thinking to yourself, “I already get unlimited text. Why should I care?”

That’s true. Many of us are on plans that allow us to text until our thumbs turn blue, but I will venture to say that despite its name, toll-free isn’t the most exciting part about toll-free text. Rather, it’s the same reason why cost is less of an issue with toll-free 800 numbers than it once was.

It’s really all about branding. It’s about having an instantly identifiable way to communicate that differentiates a company from its competition. In other words, toll-free text is a marketing tool that extends a company’s brand all the way down to the chat window, by leveraging the investment they’ve made in their existing 800 numbers. Companies advertise one number, and consumers can use it how they wish. I like to think of it as one-stop shopping for the millennial generation.

From an interaction standpoint, toll-free text opens up a world of opportunities. While some text messages might end up on the PCs of live agents, a significant number can be processed programmatically, and simple questions such as “What are your hours on Sunday?” can be automatically handled by computers. Toll-free text also gives companies the ability to convert incoming text messages to outgoing email responses or even (shudder) telephone calls.

For Example

Of course, toll-free text without a delivery mechanism isn’t very useful. Thankfully, a number of carriers and communications companies are stepping up to the plate and providing a variety of attractive solutions. One such company is ATL Communications and their Textify offering. With Textify, text messages can be processed manually with customer service representatives or through automatic processing. Customers receive the level of service they require, and organizations are able to use SMS text messages as another branding tool.

ATL isn’t alone in providing toll-free text. IP carriers such as Twilio and Flowroute both offer exciting and flexible solutions, and I expect that many others will soon be delivering their own products.

Avaya Can Help

Having your customers send toll-free text messages doesn’t do you a lot of good unless you have ways to receive and process them. Thankfully, both Avaya Aura Contact Center and Avaya Aura Elite Multichannel equip contact center agents with the tools to do just that. Not only does this extend the reach of an enterprise’s customer service arm, but these solutions turn voice-only agents into multichannel, multimedia powerhouses.

Just Do It

History is littered with the remains of companies that have failed to adapt to the ever-changing needs and expectations of their customers. Toll-free text is simply another tool that recognizes that the old ways are not always the best ways. Relevance extends to products, and a company’s image.

Will toll-free text completely eliminate the need to speak to a real human being? Absolutely not. But when a large part of the population chooses a different way to “talk” to you, you listen … or risk having them “talk” to someone else.

Andrew Prokop is the Director of Vertical Industries at Arrow Systems Integration. Andrew is an active blogger and his widely-read blog, SIP Adventures, discusses every imaginable topic in the world of unified communications. Follow Andrew on Twitter at @ajprokop, and read his blog, SIP Adventures.