[Bug]: WebRTC connection matchmaking is performed over unsecured websocket

[fishface60]

Describe the Bug

WebRTC connections need a "signalling" server to exchange SDP packets, which contain addresses to attempt to connect to to establish the session and key material to establish a shared DTLS encryption key.

MapTool implements this with a hard coded server that is connected to with the URI ws://webrtc1.rptools.net:8080.

Because the protocol for this is ws:// rather than wss:// this is analogous to http:// instead of https:// and this traffic is not encrypted with an SSL certificate for webrtc1.rptools.net.

Consequently, it would be possible for an attacker to man-in-the-middle connections to this server with a poisoned DNS record because there is no identity checking, or snoop and intercept traffic while on the same network.

This would allow an attacker to then snoop and intercept communications during the WebRTC session because they were present during the DTLS key establishment, or insert themselves in the middle by providing their own SDP packets.

If another vulnerability in a library used by MapTool were discovered then it may be exploitable this way, and if the client has enabled external macro access then execFunction commands could be sent to make HTTP requests to potentially vulnerable services in the client's network or on 127.0.0.1.

To Reproduce

Inspect traffic while making a WebRTC connection.

Expected Behaviour

webrtc1.rptools.net should have a valid SSL certificate so that the TLS encrypted wss:// protocol can be used to initiate the WebRTC connection.

Screenshots

No response

MapTool Info

No response

Desktop

No response

Additional Context

No response