STREWS published its first Security Case Study on WebRTC: 


Case study 1 Report: WebRTC [PDF]

Erratum (until updated publication):

In Section 3.2 the WebRTC report notes that:

But unlike in Chrome, all permissions are only for the duration of the session, that is, until the browser closes. There is no way to revoke a permission, except by closing the browser.

Please note that those assertions were made while testing Firefox 28. In that version, the permissions are destroyed when navigating to the next page or closing the window, not just when closing the browser. In Firefox 33, the browser and especially its interface have evolved. We will update the text accordingly, once we have verified the current behavior


Built-in handling of Real Time Media (audio, video) on the web promises potentially significant change in telephony and in conference calling. The W3C WebRTC and IETF rtcweb working groups are developing the set of specifications that will allow browsers and web sites to support such calling and other functions. This is clearly a potentially security sensitive extension to the web, so STREWS has devoted effort on this topic as a case study to both attempt to improve the overall security of the result and to see if this approach holds promise as a way to improve interactions between researchers and standards makers and hence the overall security of the web. In this deliverable, we show some possibly new issues with WebRTC security discovered by researchers (from SAP) that the standards makers may not have considered. However, while this deliverable is, as a deliverable, final, the work itself goes on, partly involving discussions between the STREWS project and participants in the IETF and W3C so in technical terms this remains a work-in-progress.