WebRTC \u7684\u5b89\u5168\u9700\u8981\u6ee1\u8db3\u4e09\u4e2a\u57fa\u672c\u9700\u6c42<\/p>\n
\u5176\u4e2d\u524d\u4e24\u9879\u4e5f\u53ef\u4ee5\u5f52\u7ed3\u4e3a CIA<\/p>\n
WebRTC \u7684\u5b89\u5168\u5728 "RFC8826 Security Considerations for WebRTC" \u6709\u8f83\u4e3a\u8be6\u7ec6\u7684\u9610\u8ff0\u3002<\/p>\n
\u4ee5\u4e00\u4e2a\u7b80\u5355\u7684 WebRTC \u5e94\u7528\u4e3a\u4f8b, \u6211\u4eec\u9700\u8981\u8003\u8651\u6d4f\u89c8\u5668\u5728\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u53ca\u9690\u79c1\uff0c\u901a\u4fe1\u548c\u4f20\u8f93\u7684\u5b89\u5168<\/p>\n
\n +----------------+\n | |\n | Web Server |\n | |\n +----------------+\n ^ ^\n \/ \\\n HTTPS \/ \\ HTTPS\n or \/ \\ or\n WebSockets \/ \\ WebSockets\n v v\n JS API JS API\n +-----------+ +-----------+\n | | Media | |\n | Browser |<---------->| Browser |\n | | | |\n +-----------+ +-----------+\n Alice Bob<\/code><\/pre>\n\u6d4f\u89c8\u5668\u5a01\u80c1\u6a21\u578b<\/h1>\n
\u7531\u4e8e WebRTC \u57fa\u4e8e\u6d4f\u89c8\u5668\u6765\u8fdb\u884c\u5b9e\u65f6\u901a\u4fe1\uff0c\u6d4f\u89c8\u5668\u4f5c\u4e3a\u5ba2\u6237\u7aef\u9700\u8981\u4fdd\u8bc1\u7528\u6237\u6570\u636e\u7684\u5b89\u5168\uff0c\u6240\u4ee5 WebRTC \u5728\u5ba2\u6237\u7aef\u4f9d\u8d56\u4e8e\u6d4f\u89c8\u5668\u7684\u5b89\u5168\u6a21\u578b\u3002
\n\u800c\u73b0\u5728\u6d41\u884c\u7684\u51e0\u5927\u6d4f\u89c8\u5668\u90fd\u9075\u5faa\u7740\u6d4f\u89c8\u5668\u7684\u5b89\u5168\u89c4\u8303\uff0c\u4f8b\u5982\u6c99\u7bb1\u6a21\u578b(sandbox)\uff0c\u540c\u6e90\u7b56\u7565SOP(Same Origin Policy)\uff0c\u7b49\u7b49<\/p>\n
\u6c99\u7bb1\u673a\u5236\u5c06\u811a\u672c\u5f7c\u6b64\u9694\u79bb\uff0c\u5e76\u4e0e\u7528\u6237\u7684\u8ba1\u7b97\u673a\u9694\u79bb\u3002 \u4e00\u822c\u6765\u8bf4\uff0c\u811a\u672c\u53ea\u5141\u8bb8\u4e0e\u6765\u81ea\u540c\u4e00\u57df\u7684\u8d44\u6e90\u4ea4\u4e92 - \u6216\u8005\u66f4\u5177\u4f53\u5730\u8bf4\uff0c\u4e0e\u76f8\u540c\u201c\u6765\u6e90 Origin\u201d\u7684\u8d44\u6e90\u4ea4\u4e92\u3002
\n\u4e00\u4e2a Origin \u7531 URI scheme, hostname, \u548c port number \u6240\u7ec4\u6210\u3002<\/p>\n
SOP \u7684\u9650\u5236\u4fdd\u8bc1\u4e86\u57fa\u672c\u7684\u5b89\u5168\uff0c\u5bf9\u4e8e\u7f51\u7edc\u5e94\u7528\u6765\u8bf4\uff0c\u5982\u679c\u53cc\u65b9\u90fd\u540c\u610f\uff0c\u8de8\u8d8a\u4e00\u4e2a\u6e90\u7684\u901a\u4fe1\u4e5f\u662f\u53ef\u4ee5\u63a5\u53d7\u7684\u3002
\n\u8de8\u6e90\u8d44\u6e90\u5171\u4eab Cross-Origin Resource Sharing (CORS) \u5c31\u662f\u5141\u8bb8\u6d4f\u89c8\u5668\u4f7f\u7528\u5df2\u540c\u610f\u7684\u76ee\u6807\u670d\u52a1\u5668\u7684\u811a\u672c\u3002<\/p>\n
\u5b9e\u9645\u5e94\u7528\u4e2d\uff0cWebRTC \u5e94\u7528\u4f1a\u901a\u8fc7 HTTPS(https:\/\/host<\/a>), Secure WebSocket(wss:\/\/host) \u4e0e\u5176\u4ed6\u670d\u52a1\u5668\u8fdb\u884c\u901a\u8baf\uff0c<\/p>\n\u4f8b\u5982 Web \u5ba2\u6237\u7aef\u53d1\u9001\u4e00\u4e2a\u8bf7\u6c42\u5230\u4e00\u4e2a\u4e0e\u81ea\u8eab\u57df\u540d\u4e0d\u540c\u7684\u670d\u52a1\u5668 (host domain: bar.other)
\n\u5176\u81ea\u8eab\u6765\u81ea\u6e90 foo.example, \u8fd9\u4e2a\u8bf7\u6c42\u4e2d\u5305\u542b HTTP \u5934\u57df "Origin: http:\/\/foo.example<\/a>"<\/p>\n.. code-block::<\/p>\n
GET \/resources\/public-data\/ HTTP\/1.1\nHost: bar.other\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko\/20081130 Minefield\/3.1b3pre\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nConnection: keep-alive\nReferer: http:\/\/foo.example\/examples\/access-control\/simpleXSInvocation.html\nOrigin: http:\/\/foo.example\n\n[Request Body]<\/code><\/pre>\n\u7136\u540e bar.other \u8fd9\u53f0\u670d\u52a1\u5668\u4f1a\u68c0\u67e5 HTTP \u8bf7\u6c42\u5934\u5b57\u6bb5 Orgin \u4e0e\u81ea\u5df1\u7684\u914d\u7f6e\u4fe1\u606f\uff0c\u53d1\u9001\u56de\u5982\u4e0b\u54cd\u5e94<\/p>\n
.. code-block::<\/p>\n
HTTP\/1.1 200 OK\nDate: Mon, 01 Dec 2008 00:23:53 GMT\nServer: Apache\/2.0.61\nKeep-Alive: timeout=2, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: application\/xml\nAccess-Control-Allow-Origin: *\n\n[Response Body]<\/code><\/pre>\nWeb \u670d\u52a1\u5668\u53d1\u9001\u56de HTTP \u54cd\u5e94\u5934\u5b57\u6bb5 Access-Control-Allow-Origin \u901a\u77e5 Web \u5ba2\u6237\u7aef\u5141\u8bb8\u7684\u57df\u3002
\n\u8be5\u54cd\u5e94\u5934\u5b57\u6bb5\u53ef\u4ee5\u5305\u542b "*" \u4ee5\u6307\u793a\u5141\u8bb8\u6240\u6709\u57df\uff0c\u4e5f\u53ef\u4ee5\u5305\u542b\u6307\u5b9a\u57df\u4ee5\u6307\u793a\u6307\u5b9a\u7684\u5141\u8bb8\u57df\u3002<\/p>\n
\u5bf9\u672c\u5730\u5a92\u4f53\u8d44\u6e90\u7684\u6388\u6743\u8bbf\u95ee<\/h1>\n
WebRTC \u5ba2\u6237\u7aef\u7684\u9ea6\u514b\u98ce\uff0c\u6444\u50cf\u5934\u4ee5\u53ca\u684c\u9762\u5c4f\u5e55\u90fd\u662f\u6d89\u53ca\u7528\u6237\u7684\u9690\u79c1\u7684\u9ad8\u5ea6\u673a\u5bc6\u7684\u8d44\u6e90\uff0c\u9700\u8981\u83b7\u53d6\u7528\u6237\u7684\u5145\u5206\u6388\u6743\uff0c\u5e76\u5728\u6355\u83b7\u672c\u5730\u97f3\u9891\u548c\u89c6\u9891\u6d41\u65f6\u663e\u793a\u660e\u793a\u7684\u6807\u8bc6\uff0c\u4f8b\u5982\u201c\u7ea2\u70b9\u201d\uff0c\u8ba9\u7528\u6237\u77e5\u6653\u3002<\/p>\n
\u4fe1\u4ee4\u7684\u52a0\u5bc6\u548c\u8ba4\u8bc1<\/h1>\n
TLS , WSS(Secure WebSocket) \u4ee5\u53ca HTTPS \u662f\u6700\u5e38\u7528\u7684\u4fe1\u4ee4\u5b89\u5168\u4f20\u8f93\u534f\u8bae
\n\u4e5f\u7528\u901a\u8fc7 WebRTC \u7684 datachannel (DTLS + SCTP) \u8fdb\u884c\u4fe1\u4ee4\u4f20\u8f93\u7684\u3002<\/p>\n
\u5a92\u4f53\u7684\u52a0\u5bc6\u548c\u8ba4\u8bc1<\/h1>\n
\u97f3\u9891\u548c\u89c6\u9891\u5a92\u4f53\u7684\u52a0\u5bc6\u8ba4\u8bc1\u6700\u4e3a\u5e38\u7528\u7684\u65e0\u7591\u662f SRTP \u534f\u8bae<\/p>\n
\u53c2\u8003\u8d44\u6599<\/h1>\n\n- https:\/\/telecom.altanai.com\/2015\/04\/24\/webrtc-security\/<\/a><\/li>\n
- RFC8826 Security Considerations for WebRTC<\/a><\/li>\n
- RFC3552 Guidelines for Writing RFC Text on Security Considerations<\/a><\/li>\n
- RFC6973 Privacy Considerations for Internet Protocols<\/a><\/li>\n
- RFC7675 Session Traversal Utilities for NAT (STUN) Usage for Consent Freshness<\/a>_<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
\u6982\u8ff0 WebRTC \u7684\u5b89\u5168\u9700\u8981\u6ee1\u8db3\u4e09\u4e2a\u57fa\u672c\u9700\u6c42 Authentication \u7528\u6237\u8bbf\u95ee\u9700\u8981\u8ba4\u8bc1 Authorization \u7528\u6237\u8bbf\u95ee\u9700\u8981\u6388\u6743 Audit \u7528\u6237\u7684\u8bbf\u95ee\u5e94\u8be5\u53ef\u88ab\u8ffd\u8e2a\u548c\u5ba1\u67e5 \u5176\u4e2d\u524d\u4e24\u9879\u4e5f\u53ef\u4ee5\u5f52\u7ed3\u4e3a CIA Confidentiality \u673a\u5bc6\u6027\uff1a\u4fe1\u606f\u9700\u8981\u4fdd\u5bc6\uff0c \u8bbf\u95ee\u6743\u9650\u4e5f\u9700\u8981\u63a7\u5236 Integrity \u5b8c\u6574\u6027\uff1a\u4fe1\u606f\u9700\u8981\u4fdd\u6301\u5b8c\u6574\uff0c\u5728\u5b58\u50a8\u548c\u4f20\u8f93\u8fc7\u7a0b\u4e0d\u88ab\u672a\u6388\u6743\uff0c\u672a\u9884\u671f\u6216\u65e0\u610f\u5730\u7be1\u6539\u6216\u9500\u6bc1\uff0c\u6216\u8005\u53ef\u4ee5\u5feb\u901f\u68c0\u6d4b\u5230\u88ab\u7be1\u6539 Availablity \u53ef\u7528\u6027\uff1a \u4fe1\u606f\u53ef\u88ab\u5408\u6cd5\u7528\u6237\u8bbf\u95ee\u5e76\u5411\u5176\u63d0\u4f9b\u6240\u9700\u7684\u529f\u80fd\u548c\u7279\u6027\uff0c\u4f8b\u5982\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u5c31\u662f\u5bf9\u53ef\u7528\u6027\u7684\u7834\u574f WebRTC \u7684\u5b89\u5168\u5728 "RFC8826 Security Considerations for WebRTC" \u6709\u8f83\u4e3a\u8be6\u7ec6\u7684\u9610\u8ff0\u3002 \u4ee5\u4e00\u4e2a\u7b80\u5355\u7684 WebRTC \u5e94\u7528\u4e3a\u4f8b, \u6211\u4eec\u9700\u8981\u8003\u8651\u6d4f\u89c8\u5668\u5728\u5ba2\u6237\u7aef\u7684\u5b89\u5168\u53ca\u9690\u79c1\uff0c\u901a\u4fe1\u548c\u4f20\u8f93\u7684\u5b89\u5168 +—————-+ | | | Web Server | | | +—————-+ ^ ^ \/ \\ HTTPS \/ \\ HTTPS or \/ \\ or WebSockets \/ […] →Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-980","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/980"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=980"}],"version-history":[{"count":4,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/980\/revisions"}],"predecessor-version":[{"id":984,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/980\/revisions\/984"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}