webRTC is an awesome way for getting data from one web browser to another, but you must bootstrap it by copying a webRTC "offer" message in both directions first. Most of the webRTC-based videochat services (Firefox Hello, talky.io, etc) use a server to deliver the client page and also relay these offer messages to the right party. So ultimately the security depends upon that server deciding to deliver the offer directly, and not inserting itself as a man-in-the-middle.
The PAKE-based wormhole setup would be a great way to get those offers delivered safely. In a future browser-based magic-wormhole.js library, I would use webRTC as the default data-transfer mechanism, and then I wouldn't need to run a STUN-like transit server (at least if you're talking to another browser, or client that can speak webRTC).
The PAKE-based wormhole setup would be a great way to get those offers delivered safely. In a future browser-based magic-wormhole.js library, I would use webRTC as the default data-transfer mechanism, and then I wouldn't need to run a STUN-like transit server (at least if you're talking to another browser, or client that can speak webRTC).