WCS to rtsp camera security problem

[tonyportersec]

The config is

Network camera --- RTSP ---> WCS ---- WebRTC --->Browser

Is the WebRTC part has data encryption on the video channel?
How about the RTSP part, it seems the username and password of the RTSP is in the URL itself, so it seems not secure, anyway we could help on the WCS to improve it? Thanks.

 

[Max]

Good day.

Is the WebRTC part has data encryption on the video channel?

Yes, WebRTC specification strongly requires data encryption. That's why WebRTC signaling works only via secure websocket connection (except localhost, for debugging purposes)

How about the RTSP part, it seems the username and password of the RTSP is in the URL itself, so it seems not secure

RTSP supports basic authentication only, so yes, credentials should be passed in URL. But you can hide credentials from viewer using REST API query /rtsp/startup:

POST /rest-api/rtsp/startup HTTP/1.1
Host: localhost:8081
Content-Type: application/json
 
{
    "uri": "rtsp://user:passwd@rtsp_server/rtsp_stream",
    "localStreamName": "stream1"
}

In this example, WebRTC viewer should play the stream by name stream1
Another way to hide credentials is stream name changing by /playStream REST hook.
In both cases, RTSP stream credentials are available to your backend only.

 

[tonyportersec]

Is there any rtsp over https support or similar thing in WCS to help improve the security between WCS and the RTSP source?

 

[Max]

There is the ticket WCS-3051 to implement secure RTSP (RTSPS). But we found no RTSP cameras supporting it. If you provide a such RTSP URL like rtsps://user:passwd@rtsp_server/rtsp_stream, we'll change this ticket state to active.