Web Real-Time Communication (WebRTC) is designed to allow secure real-time communications between two web browsers. WebRTC was designed to prevent so-called man-in-the-middle attacks. To prevent man-in-the-middle attacks, the two browsers involved in a WebRTC session negotiate the SRTP encryption key in the media channel rather than the signaling channel. This prevents the web application and any proxies from learning of the key so that the media stream can be unencrypted by an intermediary. To have a secure communication session, the browsers exchange fingerprints. A fingerprint is a unique identifier that is used to match a digital certificate, such as an MD5 signature. Once the browsers have exchanged fingerprints, the browsers setup a secure communication session relay by verifying that digital certificates exchanged by the browsers match fingerprints previously exchanged between the browsers. The secure communication session that is sometimes established via a media relay is secured directly between the browsers. The media relay is unable to decrypt any packets because the media relay was not involved in setting up the secure communication session.
While the use of WebRTC may work well in non-corporate settings, current implementations that use WebRTC have many shortcomings in a corporate environment. For example, in most corporate environments, the use of a firewall and corporate security restrictions are required so that content of communication sessions can be monitored and/or controlled. Monitoring of content is designed to prevent security breaches, such as Denial of Service attacks. Alternatively, monitoring may be necessary to provide recording services for a communication session. However, WebRTC's design to prevent man-in-the-middle attacks prevents monitoring of a communication session (e.g., a voice call). Having browsers setup communication sessions outside the firewall without regard to corporate security restrictions makes the use of WebRTC very limited in a corporate environment.