Security is possibly the most important topic around internet-based communications platforms. For Aircall, security means trust. Without sufficient security and an active participation in ensuring the privacy of our customers, there can be no future for Aircall as a business.
Thankfully, this topic is already one that is well covered, thanks to the underlying technologies in use within the Aircall platform.
WebRTC Security
WebRTC has been designed with security at its core. When making a peer-to-peer connection, which accounts for over 80% of all Aircall calls (true post-activation of TURN server support in Aircall), that connection is first negotiated with a central media server using an encrypted Web Socket connection. This connection simply identifies the web customer involved in the call, whether they are calling out or receiving a call, so very little information is sent. However, the Web Socket connection can be perceived as similar to a secure web-based transaction, such as one that might occur on an e-commerce website.
Once the call is determined, the WebRTC engine within the browser then negotiates the actual voice call with the media server. Here, an encrypted exchange is used whereby the encryption key is never made publicly available, including to the Aircall application, itself. Once established, the voice throughput is then secured by SRTP (Secure Real-Time Protocol) within the call data and DTLS (Datagram Transport Layer Security) with the actual sent packets. At any point, there is no way for anyone to be able to intercept the call data between the caller/receiver using the browser and the media server.
WebRTC Security with TURN
The remaining estimated 20% of calls from the browser (once TURN is switched on) using the Aircall product will utilize a TURN server. TURN is a proxy technology that improves call connection success. Any connections that require TURN are not considered true peer-to-peer since a middle layer is utilized. However, since the above security measures are also applied, the connection from browser to TURN server is the same.
Consideration needs to be made with regard to the call data that is leaving the TURN server and heading to the media server. In many scenarios, this is not a problem, since the transported data is still encrypted using SRTP, but it is possible for data to have been affected by a third party within the TURN server if that server is untrusted.
Note: Data should not be compromised without the encryption data sent in the signaling, so even data through a third-party TURN server should be safe.
In Aircall’s situation, not only are TURN servers known and trusted, but they also sit alongside the media server counterpart within the very same data center. This increases security exponentially, leaving no room for security vulnerabilities to third parties.
Recent Zoom Security Concerns
The recent security issues with Zoom's platform has raised a lot of concern regarding video and voice calling platforms. The issue with such platforms is often with regard to the application layer logic of the system. With Zoom, rumors have spread that user’s encryption keys have been passed to third parties, which have made their platform vulnerable. With Aircall, this is not possible, since the encryption is handled rather differently by the WebRTC engine, itself. WebRTC is an open standard and subject to scrutiny by everyone, unlike Zoom’s proprietary standard, which is unknown.
Zoom also utilizes an MCU (Multipoint Control Unit) which combines media data from numerous sources into a single source, before passing to participating users. This same technology is what powers the ability to add dynamic backgrounds to participant’s video streams. In this scenario, the logic used to determine participants of a stream and which data is selectively forward onto other users is at the whim of Zoom's application logic. Such logic may be flawed, allowing uninvited users to intercept and view such streams. In contrast, Aircall has no such security loop-hole, since calls are always between two users and within known, uninterrupted parameters, as determined by open standards.
Is Aircall's Media Server a concern?
Since the security issues surrounding Zoom are suspect, is this also true of Aircall, since a media server is implemented? Thankfully, no.
The media server used by Aircall is a transcoding server. It is required to convert web-based Opus / G.711 data from a WebRTC connection to/from a G.711 PBX line connection. Aside from the transcoding, the media server is a little different from the TURN proxy server.
All of the logic surrounding a call connection is secured between the two participants. Since Aircall does not support conferencing, there is no proprietary application logic that might expose calls to uninvited guests, ensuring all calls are solely between those two peers.