Enable Security @enablesecurity@infosec.exchange
Public

Two weeks ago we published our analysis of TURN security threats. Today: how to fix them.

New guides covering implementation-agnostic best practices (IP range blocking, protocol hardening, rate limiting, deployment patterns) and coturn-specific configuration with copy-paste templates at three security levels.

Best practices: enablesecurity.com/blog/turn-s
coturn guide: enablesecurity.com/blog/coturn
Config templates on GitHub: github.com/EnableSecurity/cotu

coturn 4.9.0 dropped yesterday with fixes for CVE-2026-27624 (IPv4-mapped IPv6 bypass of deny rules) and an inverted web admin password check that had been broken since ~2019. The guides cover workarounds for older versions.

TURN Server Security Best Practices

TURN server security guide for any implementation. Hardening checklist, IP range block lists, rate limiting, and deployment patterns for production WebRTC systems.

www.enablesecurity.com · Enable Security

0
0
1

If you have a fediverse account, you can quote this note from your own instance. Search https://infosec.exchange/users/enablesecurity/statuses/116130697375709804 on your instance and quote it. (Note that quoting is not supported in Mastodon.)

Sandro Gauci @sandrogauci@mastodon.social
Public

RE: infosec.exchange/@enablesecuri

Published the "how to fix it" companion to our TURN security threats post. Best practices guide + coturn config templates at three security levels.

Also discussing TURN security on WebRTC Live today: webrtc.ventures/webrtc-live/

enablesecurity.com/blog/turn-s
enablesecurity.com/blog/coturn

0
0
0