Xpra: Ticket #1338: html mode WebRTC transport

Xpra html mode works over HTTP so it uses plain text URL. It means that a password and AES key can easily be intercepted. But we can use WebRTC transport with or without signaling server.

Example: https://github.com/cjb/serverless-webrtc



Tue, 11 Oct 2016 20:33:34 GMT - JAremko: type, component changed


Wed, 12 Oct 2016 03:46:03 GMT - Antoine Martin: milestone changed

You can use https / wss if you wish.. Using webrtc does not secure things: without a key exchange (or certificate authorities like ssl), your connection is still vulnerable to MITM.

The webrtc stuff could be useful for exporting the webcam back to the server, but apart from that I'm not sure it does anything useful for us.


Wed, 12 Oct 2016 08:02:31 GMT - JAremko:

Replying to antoine:

You can use https / wss if you wish.. Using webrtc does not secure things: without a key exchange (or certificate authorities like ssl), your connection is still vulnerable to MITM.


Hm. Doesn't WebRTC without tls (https) provide DTLS https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security ? http://webrtc-security.github.io/images/diagram_2_en.png

I was thinking that if both client and server have access to signed wss signaling server they can establish secure direct connection. Or they can use other secure channels for the "manual" handshake like internet messengers. it wouldn't require fiddling with self signed certificates on the xpra server to use https.


Wed, 12 Oct 2016 08:06:51 GMT - Antoine Martin:

You've just pushed the "CA's responsability" to a signaling server... I'm really not keen on the complexity this would bring but will gladly take patches to implement it.


Wed, 12 Oct 2016 08:10:58 GMT - JAremko:

Replying to antoine:

You've just pushed the "CA's responsability" to a signaling server... I'm really not keen on the complexity this would bring but will gladly take patches to implement it.


Ok I understand. Thank you for response.

I just don't want to use self signed certificates for tls, but without it this is in no way secure.


Thu, 20 Jul 2017 17:04:58 GMT - Antoine Martin:

FYI: in the latest releases, the HTML5 client can do HMAC authentication without sending any credentials in plain text to the server. (just the HMAC)

See also #1590


Sat, 28 Nov 2020 12:57:53 GMT - Antoine Martin: status changed

Talks of webrtc:

Could be useful for audio and video mode, if we can manage dropped packets and re-transmits (see WebRTC AudioProcessing)

In python:

See also #2942 (RTP)

See also WebRTC/Chromium Updates In 2020.


Sat, 23 Jan 2021 05:21:31 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1338