Encryption doesn’t always equal privacy
IT departments have all the means necessary to manage voice communication over the enterprise network and know the ins and outs of those communications. Some enterprises have compliance requirements to which they must adhere, some have security considerations and others have reasons to “know what’s happening in their network”.
With traditional VoIP systems, achieving the above is relatively a simple task.
However, OTT VoIP traffic is a different story. And in the case of OTT, most enterprises settle with one of the following options:
- Block it
- Live with the reality
The question is, are these the only two options available and what do enterprises really want to do about OTT VoIP?
Border TURN server
Some enterprises are adding a new entity to the border of their network, a border TURN server that forces all VoIP media traffic to go through it. This includes enterprise managed VoIP as well as OTT. VoIP media that doesn’t go through the border TURN server is blocked.
Adding this entity and blocking all VoIP media that doesn’t go through the border TURN server creates a problem for WebRTC communication because only one TURN server address can be provided for the peer connection establishment procedure. Since many services require media to go through an application TURN server, the border TURN server is left out of the flow and media that doesn’t go through, is blocked.
In a post I published last week together with Dan Burnett (co-editor of WebRTC standards) on WebRTCStandards.info (where we publish updates about what takes place at IETF and W3C with regards to WebRTC), we talked about RETURN. In a nutshell, RETURN encapsulates two TURN servers into one by adding the border TURN server as a configuration option to browsers. Details and illustrations can be found in the original post.
Since WebRTC media is always encrypted, what is the point in requiring it to pass through the border TURN server?
What can be extracted from encrypted communication?
With this knowledge, the server can block calls from black listed addresses, limit/monitor call duration and collect this information.
These capabilities are pretty basic and I wanted to know if there was more a border TURN server can detect in an encrypted media stream. To better understand, I turned to Yossi Zadah (who is already well known on this blog) and to Ilan Shallom. Ilan is a Professor at Ben-Gurion University and founder of a speech recognition company that today is part of AudioCodes. His technology is the brain behind our VocaNOM solution.
Some might be surprised to learn that there is a significant amount of information that can be extracted from an encrypted media stream. There are studies that show it is possible to identify the language of the conversation. Other studies show it is possible to unveil the identity of the speakers on such a call and even create approximate transcripts of encrypted VoIP calls by identifying words in the stream.
There is also a thesis specifically relating to Skype using Silk (from back in 2011) that details information that can be learned from such conversations.
- Border TURN servers are being deployed at enterprises. Though they impose problems on WebRTC communication, RETURN is planned by the IETF as a solution.
- Given the limitations border TURN servers impose on OTT traffic, my personal view is that they would be counterproductive in most cases as they limit Bring Your Own OTT (BYOO) in the enterprise
- If you thought that your WebRTC call is private…think again.