InterDrop Blog
Privacy Mar 30, 2026 · 8 min read

Is Peer-to-Peer File Transfer Secure? How WebRTC Encryption Works

Yes — and the reason is DTLS-SRTP, the same mechanism your browser uses for video calls. The short version, no crypto degree required.

The TL;DR

WebRTC peer connections — what InterDrop and every browser-based file-transfer tool runs on — encrypt every byte with DTLS-SRTP. That’s the same primitive Zoom, Meet, and Discord use for voice and video. The encryption keys are negotiated between the two browsers and never leave them.

Sender
📄 contract_v2.docx
Wire (DTLS)
·
Recipient
📥 (waiting)
phase: plaintext · cipher: AES-128-GCM

What gets encrypted, and when

  1. Setup. A small signalling server helps the two browsers find each other. It sees IP addresses and a handful of bytes describing the connection — never your file.
  2. Handshake. The browsers run a DTLS handshake — a cousin of TLS, the lock icon in your address bar — and agree on a one-time symmetric key.
  3. Transfer. Every chunk of your file is sealed with that key. An attacker tapping the wire sees opaque bytes.
  4. Teardown. When you close the tab, the keys are discarded. There’s no archive to re-decrypt later.

What it does (and doesn’t) protect against

Protected:

  • Anyone on the same coffee-shop Wi-Fi as you.
  • Your ISP, your VPN provider, intermediate routers.
  • The signalling server itself — even if it’s compromised, it has no file and no keys.

Not protected against:

  • Malware on either endpoint device. End-to-end encryption stops at the ends; if the recipient’s machine is owned, so is the file.
  • Shoulder-surfing the recipient as they open it.
  • Connecting to a different person by mistake. Confirm names/avatars before sending sensitive files.

“End-to-end” means the encryption ends at the two devices — not at some server pretending to be in the middle.

Versus uploading to the cloud

A cloud share is end-to-encrypted-at-rest on the provider’s side, then re-encrypted at transit. Two encryption boundaries, one cleartext window in the middle on the provider’s servers. P2P collapses that to one boundary, with no cleartext window at all.

SERVERASENDERBRECIPIENTFILE NEVER LEAVES YOUR NETWORK
PathDirect
Network hops1
Server copy0
PrivacyEnd-to-end

Frequently asked

Is WebRTC's encryption mandatory or optional?
Mandatory. Browsers refuse to set up a WebRTC data channel without DTLS. There is no 'plaintext mode'.
What cipher does it use?
AES-128-GCM or ChaCha20-Poly1305, negotiated at handshake time. Both are authenticated ciphers — tampering with the stream is detectable.
Is the signalling server a trust risk?
Limited. It learns that two peers want to connect and their network addresses. It never learns the symmetric key or sees file bytes.
What if the connection falls back to a relay (TURN)?
The relay carries encrypted bytes only — it can't read them. It looks like a slower router from the encryption's perspective.

Try peer-to-peer for yourself.

Open InterDrop on this device, open it on the device you want to send to, and drop a file. No sign-up. No install.

Open InterDrop

Keep reading