FAQ about WebRTC security

Yes it is.

WebRTC is probably the most secure VoIP protocol out there. This stems from the fact that WebRTC was designed with security in mind, as it needs to operate from inside a web browser in an environment that can never be considered as secure to begin with.

It doesn’t mean that it is faultless – just that when security issues are found, they are usually addressed quickly and they get disseminated to users faster due to the automatic update mechanisms of modern web browsers.

WebRTC requires local IP addresses to work properly, so it collects these addresses and shares them during the negotiation process.
As this was found and considered to be a privacy issue, a solution is being rolled out in the form of mDNS.

No you can’t. By design, WebRTC encrypts all media sent between users. There is no way (baring changing the implementation itself) to send media in the clear in WebRTC.

No. While WebRTC is secure by design, it is just a component embedded to the service you are using. As such, the security it offers depends on the security of the service you are using.

WebRTC offers end-to-end encryption between terminating entities. If your service runs peer-to-peer (with or without TURN relays) then it is encrypted end-to-end. If you are using media servers along the route (SFU or an MCU) then in all likelihood that server has access to the unencrypted media.

Yes, but this isn’t an apples to apples comparison.
WebRTC is a specification. It offers high level of security. An application written on top of it can make it un-secure.
Zoom is a proprietary solution where security isn’t the main objective. We simply don’t know what threats are lurking in the proprietary implementation of the proprietary protocols used by Zoom.