## SECURITY: Coturn TURN Server Disables TLS, Exposing Credentials and Voice Traffic in Plaintext
A critical security misconfiguration in a Coturn TURN server deployment is actively transmitting user credentials and voice traffic in plaintext. The server, configured via a `docker-compose.yml` file, is running with the flags `--no-tls --no-tlsv1 --no-tlsv1_1`, which completely disables TLS and DTLS encryption. This flaw creates a direct pipeline for eavesdropping and credential theft on any network path between clients and the server.

The impact is severe and multifaceted. The TURN_USER and TURN_PASS credentials are sent unencrypted over UDP, allowing any intermediary to capture them. Furthermore, all relayed voice and media traffic—the core content of WebRTC calls and conferences—is transmitted in the clear, enabling real-time eavesdropping on conversations. An attacker with captured credentials could also abuse the server as a relay point for their own traffic, leading to potential bandwidth theft and using the server as a pivot in further attacks. This configuration blatantly violates fundamental security best practices for any production WebRTC deployment.

The vulnerability is traced to line 271 of the `docker-compose.yml` file. The necessary fix is to enable DTLS, the UDP-based TLS standard for WebRTC. This requires removing the disabling flags and properly configuring TLS certificates via `--cert` and `--pkey` options or specifying a `--tls-listening-port`. Until corrected, the deployment remains at high risk, exposing sensitive communications and infrastructure to interception and misuse.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, webrtc, encryption, docker
- **Credibility**: unverified
- **Published**: 2026-03-28 21:27:00
- **ID**: 39294
- **URL**: https://whisperx.ai/en/intel/39294