webrtc suggestion

[hosted]

on a webrtc trunk, it would be nice if you could match the UserAgent or something for some level of authentication.

 

otherwise a receptionist will be answering scanner calls all day long.

[Vodia Telephone System]

I don't quite understand.

 

It can't be from the calling side, since anyone would be allowed to call on a public website.

 

So I don't understand where to match a user agent. If you mean to check if it is indeed from the browser then that would be useless since all javascript info is available to everyone anyway. We do check the trunk's id which is unique but again it is available.

 

Maybe you meant something entirely different that I misunderstood.

 

Thanks.

[hosted]

well any sort of authetication from the webrtc client to the trunk..

 

what we are seeing is scanners are attempting to make calls which ring our AA then to go a hunt group and our guys are getting a lot of fake calls.

 

cant really IP restrict the trunk.. but something to limit a legit webrtc would be nice

[Vodia PBX]

You mean something like a captcha? There is already a trunk hash in the call setup, so those guys are a little bit more sophisticated than just trying WebRTC ports out.

[hosted]

no, doing a bad job explaining..

 

when you create a webrtc trunk there are no IP restrictions (for the trunk). so scanners find the PBX they try to make calls (international for example) because the PBX is accepting them.

 

But the trunk is obviously set to forward all traffic to an extension so the webrtc client can speak to a live body.

 

problem is these scanners are generating calls that internal employees are answering. know what i mean?

[Vodia PBX]

Yes I think I know what you mean. Of course if you invite a public audience you are also attracting people that are not welcome. Sooner or later there will be robots trying to make WebRTC calls, and I guess the few sites available today are their test bench. This will be a pain in the neck as we know it from email SPAM, jeopardizing the benefits of browser-based telephony. At the end of the day the question is how we can find out if the user use human or a robot.

 

I see two possibilities here. First, we could send the call to the auto attendant, so that the user has to press a button after listening to a prompt. That is still possible for a robot, but difficult and whoever is operating the robot will find out that this does not lead to free international calls. What we could do here is randomly pick the button that needs to be pressed, so that the robot would have to really listen to the what is being said at the right time. So considering the time factor and the right button, you can reduce the risk of a SPAM call by factor 50-100 easily.

 

The other possibility is to do the Captcha game: The system shows an image with a small riddle in it, one that is hard to solve by a robot. It does not have to be only that distorted text. It can also be more creative like telling what color an animal in the picture has. The disadvantage is that this will make the click to call feature inconvenient and people might prefer to use the traditional phone call.

[hosted]

Captcha wont work, its not the webrtc client that is at fault. the scanner will just find the PBX directly.

 

which is why i suggested having the snomone trunk verify the UserAgent = snomwebtrc is valid and passes the call.

 

then a scanner who's Useragent = friendly-scanner wont match and it wont process the call.

 

auto attendant is a good idea, but IMO as a business when someone clicks call on your web site i would rather have a live body answer the call and make the experience as easy to deal with as possible.

 

OR maybe make the webrtc client use TCP signalling.. that would work!

[Vodia PBX]

Fortunately, webrtc always uses TCP or TLS. No UDP madness.

[hosted]

thats good! so in the trunk how can we tell it to only accept connections from TCP/TLS only

 

so a UDP sip scanner wont be allowed..

 

 

 

were getting close!