RFC 7065 - 4. Security Considerations

4. Security Considerations

Security considerations for the resolution mechanism are discussed in Section 5 of [RFC5928]. Note that this section contains normative text defining authentication procedures to be followed by turn clients when TLS is used.

The "turn" and "turns" URI schemes do not introduce any specific security issues beyond the security considerations discussed in [RFC3986].

Although a "turn" or "turns" URI does not itself include the username or password that will be used to authenticate the TURN client, in certain environments, such as WebRTC, the username and password will almost certainly be provisioned remotely by an external agent at the same time as a "turns" URI is sent to that client. Thus, in such situations, if the username and password were received in the clear, there would be little or no benefit to using a "turns" URI. For this reason, a TURN client MUST ensure that the username, password, "turns" URI, and any other security-relevant parameters are received with equivalent security before using the "turns" URI. Receiving those parameters over another TLS session can provide the appropriate level of security, if both TLS sessions are similarly parameterised, e.g., with commensurate strength ciphersuites.