... | ... | @@ -11,9 +11,9 @@ An analysis of use of WebRTC by some mobile apps: https://andyet.com/webrtc-repo |
|
|
Analysis of DTLS-SRTP and DTLS-SCTP in Twilio and Wire: https://www.gremwell.com/node/954
|
|
|
|
|
|
Potential identifying features:
|
|
|
* STUN: [USERNAME attribute](https://tools.ietf.org/html/rfc5389#section-15.3), free-form text.
|
|
|
* STUN: optional [FINGERPRINT attribute](https://tools.ietf.org/html/rfc5389#section-8).
|
|
|
* STUN: optional(?) [SOFTWARE attribute](https://tools.ietf.org/html/rfc5389#section-15.10).
|
|
|
* STUN: [USERNAME attribute](https://www.rfc-editor.org/rfc/rfc8489#section-14.3), free-form text.
|
|
|
* STUN: optional [FINGERPRINT attribute](https://www.rfc-editor.org/rfc/rfc8489#section-14.7).
|
|
|
* STUN: optional(?) [SOFTWARE attribute](https://www.rfc-editor.org/rfc/rfc8489#section-14.7).
|
|
|
* STUN attributes in general: their type and order.
|
|
|
* DTLS: client ciphersuites (type and order).
|
|
|
* DTLS: client extensions (type and order).
|
... | ... | @@ -21,9 +21,9 @@ Potential identifying features: |
|
|
* DTLS: certificate validity period.
|
|
|
DNS seems like no big deal? Other layers to look at?
|
|
|
|
|
|
Data channels use DTLS while non-data (media, video) use SRTP.
|
|
|
[WebRTC Data Channels](https://datatracker.ietf.org/doc/draft-ietf-rtcweb-data-channel/?include_text=1): "In the WebRTC framework, communication between the parties consists of media (for example audio and video) and non-media data. Media is sent using SRTP, and is not specified further here. Non-media data is handled by using SCTP [RFC4960] encapsulated in DTLS."
|
|
|
[Web Real-Time Communication (WebRTC): Media Transport and Use of RTP](https://datatracker.ietf.org/doc/draft-ietf-rtcweb-rtp-usage/?include_text=1)
|
|
|
Data channels use DTLS while media streams (audio, video) use DTLS-SRTP.
|
|
|
[WebRTC Data Channels](https://www.rfc-editor.org/rfc/rfc8831) (RFC 8831): "In the WebRTC framework, communication between the parties consists of media (for example, audio and video) and non-media data. Media is sent using the Secure Real-time Transport Protocol (SRTP) and is not specified further here. Non-media data is handled by using the Stream Control Transmission Protocol (SCTP) [[RFC4960](https://www.rfc-editor.org/rfc/rfc4960)] encapsulated in DTLS."
|
|
|
[Media Transport and Use of RTP in WebRTC](https://www.rfc-editor.org/rfc/rfc8834) (RFC 8834)
|
|
|
|
|
|
## Bro script to fingerprint DTLS
|
|
|
|
... | ... | @@ -38,7 +38,7 @@ You may want to refer to the |
|
|
|
|
|
### DTLS
|
|
|
|
|
|
The unknown (0x0017) extension is present in all DTLS communication and is concerning. Looks like 0x0017 is [extended master secret](https://tools.ietf.org/html/rfc7627).
|
|
|
The unknown (0x0017) extension is present in all DTLS communication and is concerning. Looks like 0x0017 is [extended master secret](https://www.rfc-editor.org/rfc/rfc7627).
|
|
|
|
|
|
<pre>
|
|
|
Datagram Transport Layer Security
|
... | ... | |