Group calls are used for communication and business. Though quite frequently users don’t think about their security and are not aware of real danger of their personal and commercial data theft that can be committed easily. Below, we present our elaboration of a group call tool that works from a browser and protects users from MITM attacks with the help of ZRTP.
Our task — convenient high security group calls
Group calls have become very popular: they allow chatting and conducting business negotiations during the quarantine. And even after the end of self-isolation, users all over the world are going to continue using this type of communication as they have appreciated its convenience.
At the same time, calls still remain inconvenient for users: you have to install something, analyze the settings, sign up and delve into the instructions for the sake of a few minutes of talk.
Hence, the idea came up to create a tool that allows calling from a browser tab in one click with no need to download additional programs.
This application gives its users a possibility to discuss tasks with a product team, hold conferences and brief meetings, demonstrate solutions of a problem on the screen, as well as present reports on the accomplished projects. This is an ideal option for remote work.
Our second task is to provide a stable protection for such calls, i.e. to prevent your data from leaking into the network, being indexed by search systems, or fall into the wrong hands. To compete with numerous analogues, our tool possesses a high level of security.
webRTC technology for calls with no additional apps
Top priority is to communicate directly from the browser tab. The calls are made with the help of webRTC technology — it allows to quickly transfer multimedia — audio and video — through a browser, as well as set up a call between two or more users simultaneously.
This is enough to guarantee communication with no preliminary preparation and program installation.
ZRTP is a basis of security
The second layer of encryption provides additional data protection thanks to ZRTP.
ZRTP is a cryptographic protocol for the encryption key negotiation. It is used for transmitting voice via IP networks and negotiates keys in the same RTP flow where audio or video communication is set, i.e. it does not require a separate communication channel.
The idea of telephony encryption is not novel. The protocol has existed since 2006, and provides a rather secure data protection, but doesn’t insure from a “man in the middle” — MITM attacks, or, in short, wiretapping.
The problem of protection against MITM attacks has been solved
At the testing stage, it was found out that the initially transmitted flows in webRTC are encrypted with SRTP (secure data transfer protocol) and they are absolutely tap-proof. However, vulnerability to a MITM attack in the middle remained at any combination of connections and DTLS and ZRTP protocols. For example, knowing the IP address of users, it was possible to create a communication session with a request and steal information.
The Callaba project development team has solved this problem by encrypting both flows and sessions.
Result — secure group calls
We succeeded in solving call security problem with Callaba, and we guarantee protection against wiretapping with the help of ZRTP. Attackers won’t be able to access the conversation, tap, or steal data.
There are also text messages encrypted in the program, they are transmitted in the internal chat. Due to this solution, search system robots do not index information inside the browser tab and do not reveal the personal data of participants.
We got even more than we expected
Our team reached the established goal — to make online group communication easy and secure:
The tool operates from browser according to webRTC technology. This huge advantage saves time on installing apps and allows focusing on communication.
Complete protection against MITM attacks. The security is controlled by ZRTP at the first level, and by our additional encryption — at the second level.
Security of all data types. The tool protects audio and video as well as text messages in the internal chat. The information will neither end up in the hands of attackers, nor be indexed by search systems.
