Why This Matters

Every modern streaming product is expected to ship encrypted by default. App stores reject WebRTC apps that send plaintext RTP. Browsers refuse to play HLS over http:// URLs. Enterprise customers fail security reviews on the first finding of a self-signed certificate. The product manager who does not understand the difference between TLS, DTLS, SRTP, and mTLS ends up either rubber-stamping a vendor's claim of "bank-grade encryption" without knowing whether it covers the media path or the manifest path, or burning a sprint on a SOC 2 finding that a junior engineer could have fixed in a day. This article explains the four protocols in plain language, shows which one protects which part of the pipeline, and lists the practical defaults you should ship in 2026.

One sentence per protocol, before we go deeper

Before the deep dive, the four names in one sentence each.

TLS — Transport Layer Security, the encryption that wraps HTTPS, runs over TCP, and protects every HLS manifest fetch, every DASH segment download, every signalling message, and every dashboard login. Current version: TLS 1.3 (RFC 8446, August 2018). The standard you already know.

DTLS — Datagram Transport Layer Security, the same security guarantees as TLS but adapted to run over UDP, where packets can arrive out of order, get duplicated, or vanish. Current version: DTLS 1.3 (RFC 9147, April 2022). In WebRTC it is the protocol that performs the initial handshake before any media flows.

SRTP — Secure Real-time Transport Protocol, the encryption that wraps individual RTP media packets after DTLS has finished its handshake. Specified in RFC 3711 (March 2004). DTLS does the handshake; SRTP does the per-packet work.

mTLS — mutual TLS, the configuration of TLS in which both sides present a certificate and verify the other's, not just the client verifying the server. Not a separate protocol — a deployment mode. Common in service-to-service ingest authentication and, since February 2026, in CloudFront's origin-mTLS feature for end-to-end zero-trust delivery.

TLS — the layer that already protects most of the pipeline

TLS sits between TCP and HTTP. Every HLS manifest your player fetches, every DASH segment your CDN serves, every dashboard request your operations team makes — it all rides over TLS in 2026. Apple's HLS Authoring Specification (revision 2025-09, §2.1) requires HTTPS for any HLS content delivered to App Store apps; DASH-IF guidelines recommend the same; modern browsers throw a mixed-content error on plaintext segments referenced from an HTTPS page.

The mechanics in one paragraph. A client opens a TCP connection to the server. The two sides perform the TLS handshake: the client sends a ClientHello listing the cipher suites and TLS versions it supports plus a random number; the server replies with a ServerHello choosing one cipher suite, a TLS certificate signed by a trusted certificate authority, and its own random number; the client validates the certificate, derives shared key material via Diffie-Hellman over an elliptic curve (X25519 is the modern default), and both sides switch to encrypted communication. TLS 1.3 finishes this in one network round trip, half what TLS 1.2 needed. Once the handshake is done, every HTTP request and response is wrapped in an Application Data record that nobody on the path can read or alter.

Two TLS 1.3 features matter for streaming specifically. 0-RTT (zero round-trip-time) resumption lets a returning client send its first HTTP request alongside the handshake, eliminating the round trip on repeat visits — useful for a viewer who rejoins a live stream after a brief disconnect. The cost is a small replay-attack window, which is why most HLS / DASH deployments enable 0-RTT only for idempotent GETs on segments, never for POSTs to a signalling endpoint. Encrypted Client Hello (ECH), promoted to RFC 9849 in March 2026, encrypts the Server Name Indication (SNI) field so that an on-path observer cannot tell which hostname a client is requesting. Cloudflare, iOS, Android, Edge, and Firefox have shipped ECH; for streaming products that operate in restrictive networks (corporate proxies, certain national networks), ECH is the difference between a stream that loads and a stream that gets blocked by a hostname-based filter.

In practical terms, TLS for a streaming product means three things in 2026: serve every URL over HTTPS (no plaintext fallbacks), pick TLS 1.3 with TLS 1.2 as a fallback only for the long tail of older devices, and use HSTS (HTTP Strict Transport Security) with max-age=31536000 so that no client ever downgrades to plaintext.

Layer diagram with four columns. Column 1 (TLS) labelled HLS, DASH, dashboard, signalling, sits above TCP, runs to HTTPS clients. Column 2 (DTLS) labelled WebRTC handshake, sits above UDP. Column 3 (SRTP) labelled RTP media, sits above UDP, is bootstrapped by the DTLS handshake. Column 4 (mTLS) shown as a deployment mode on top of TLS, used between CDN and origin and between ingest client and ingest server. Figure 1. The four protocols, where each lives in the network stack, and which streaming surface each one protects. TLS handles every HTTP-based flow; DTLS handles the WebRTC handshake; SRTP wraps the actual RTP media packets; mTLS is a deployment mode that adds client-side identity to TLS or DTLS.

DTLS — TLS that survives lost packets

DTLS exists because TLS assumes a reliable, in-order transport (TCP) and falls apart on UDP, where the handshake messages can arrive out of order, get duplicated, or never arrive at all. DTLS keeps TLS's security model and adds the machinery to survive a lossy datagram channel: every handshake message carries a sequence number so the receiver can reorder; every fragment carries an explicit length so a packet split across two datagrams reassembles cleanly; a stateless cookie exchange in the first round trip prevents an attacker from triggering expensive handshake work by spoofing a source address.

DTLS 1.3 (RFC 9147, April 2022) brought DTLS to parity with TLS 1.3. Same one-round-trip handshake. Same elliptic-curve key exchange. Same forward secrecy. The WebRTC ecosystem has been migrating from DTLS 1.2 to DTLS 1.3 through 2025 and into 2026; major browsers reject DTLS 1.0 and 1.1 outright as of mid-2025, and a media server that offers only deprecated versions will fail to negotiate with a current Chrome or Safari.

In WebRTC, DTLS does two jobs that often get conflated. The first is the handshake itself: the two peers exchange certificates over the ICE-negotiated path, prove ownership of the public key, and derive shared key material. The certificate is almost always self-signed — a fresh ECDSA P-256 keypair generated by the browser for each session — because the certificate's identity is bound to the signalling channel through the certificate fingerprint listed in the SDP a=fingerprint: line (RFC 8842, January 2021). The signalling server vouches that the SDP came from the right user; the SDP vouches that the DTLS certificate belongs to that user; the DTLS handshake verifies the certificate against the fingerprint. No public certificate authority is involved.

The second job is keying SRTP. The DTLS handshake's exporter — a key-derivation function defined in RFC 5705 — produces the master key that SRTP uses to encrypt every subsequent RTP packet. This combined mode is called DTLS-SRTP and is specified in RFC 5764 (May 2010); RFC 8827 (the WebRTC Security Architecture, January 2021) makes DTLS-SRTP mandatory for every WebRTC media stream. There is no legitimate WebRTC deployment in 2026 that does not use DTLS-SRTP; a media server that accepts plaintext RTP is a misconfiguration, not a feature.

SRTP — the actual per-packet encryption

DTLS handles the handshake; SRTP handles the work. Once the DTLS handshake finishes and both sides have the SRTP master key, every RTP packet — audio frame, video frame, FEC packet — gets wrapped by SRTP before it goes on the wire.

The mechanics, briefly. SRTP takes the master key and runs it through a key-derivation function — AES in counter mode driven by the RTP packet's index — to produce a fresh session key for encryption, a session key for authentication, and a session salt. The RTP payload is encrypted with AES-CTR (or AES-GCM in modern deployments), then a 10-byte HMAC-SHA1 tag (or the integrated AEAD tag for GCM) is appended. The RTP header itself is left in the clear so that intermediate boxes can route the packet, but the header is covered by the authentication tag — any byte-level tampering shows up at the receiver as a verification failure and the packet is discarded.

The companion protocol SRTCP protects RTCP, the control channel that carries receiver reports, sender reports, and feedback messages used by congestion control. RFC 3711 §3.4 makes SRTCP integrity protection mandatory because a tampered RTCP report can drive the sender to ruin its own bitrate ladder, and the cost of computing the tag is negligible compared to the cost of a degraded call.

Two production realities about SRTP. First, the per-packet overhead is small — 4 bytes of SRTP index plus the 10-byte (HMAC-SHA1) or 16-byte (GCM) authentication tag per packet — but it adds up: a 2 Mbps video stream with 1200-byte packets generates about 208 packets per second, so SRTP authentication alone adds ~16 kbps. On a constrained mobile link, this is the difference between a clean stream and a struggling one. Second, the choice of cipher matters. AES-128-CM with HMAC-SHA1 was the original RFC 3711 default. AES-128-GCM and AES-256-GCM, specified in RFC 7714 (December 2015), are the modern defaults — slightly larger tag but much faster on hardware that has AES-NI instructions (every server CPU since 2010, every modern mobile SoC). A media server defaulting to AES-CM with HMAC-SHA1 in 2026 is leaving CPU on the table.

SRTP packet structure diagram. RTP header in the clear with version, payload type, sequence number, timestamp, SSRC fields. Encrypted RTP payload. SRTP trailer with the SRTP index and the authentication tag. Annotation showing which parts the AES-CTR or AES-GCM cipher covers (payload) and which the authentication tag covers (header plus payload plus index). Figure 2. The byte layout of an SRTP packet. The RTP header stays readable so middleboxes can route it; the payload is encrypted; the authentication tag covers the header plus the payload plus the SRTP index, so any tampering anywhere in the packet shows up at the receiver as a verification failure.

mTLS — when "the server is who it says" is not enough

In ordinary TLS, only the server presents a certificate. The client verifies the server's identity; the server has no cryptographic proof of who the client is and falls back to whatever the application provides — a username, a bearer token, an API key. Mutual TLS, abbreviated mTLS, inverts this: the client also presents a certificate, the server validates it against a trusted certificate authority, and the connection only proceeds if both certificates check out.

mTLS is not a separate RFC. It is a mode of TLS, available since TLS 1.0 (RFC 2246, 1999), formalised in TLS 1.3's certificate_request extension in RFC 8446 §4.3.2. The protocol cost is one extra certificate sent during the handshake — a few hundred bytes. The operational cost is the certificate lifecycle: every client that talks to the server needs a certificate issued by a CA the server trusts, and that certificate needs to rotate before it expires.

For streaming, mTLS shows up in three places.

Ingest authentication. A live encoder pushing to an origin can authenticate with mTLS instead of (or in addition to) a stream key in the URL. SRT over TLS, RIST with TLS profile, and RTMPS all support mTLS deployment. The benefit: a stream key in the URL leaks if anyone records the encoder's HTTP logs; a client certificate stored in the encoder's hardware security module cannot be extracted by anyone who does not control the encoder. The cost: rotating certificates across a fleet of ingest encoders is operationally non-trivial.

Origin protection between CDN and origin. Until 2026 this was usually done with a shared secret in the X-Origin-Token header. In February 2026 AWS CloudFront launched origin mTLS, in which CloudFront presents a client certificate when fetching from the origin and the origin validates it before serving. Fastly, Akamai, and Cloudflare have shipped equivalents. The result is end-to-end mutually authenticated TLS: viewer ↔ CDN (TLS), CDN ↔ origin (mTLS), with no point in the chain operating on implicit trust.

Service-to-service inside the streaming control plane. Signalling server to transcoder, packager to origin, analytics collector to dashboard — every internal service-to-service call in a hardened streaming product runs mTLS, often via a service mesh (Istio, Linkerd) that issues short-lived (24-hour) certificates automatically. The viewer never sees this layer, but every security review for an enterprise customer asks about it.

mTLS does not encrypt media on the wire any better than ordinary TLS does — both use the same cipher suite once the handshake finishes. What mTLS adds is identity: a guarantee that the connection is between the two parties you expect, not between you and an impersonator who guessed a stream key.

A worked example — where each protocol shows up in one live stream

A live concert is being streamed. A camera feeds an OBS encoder; OBS pushes via SRT over TLS to an ingest origin; the ingest origin transcodes and packages into HLS; a CDN distributes; viewers watch in iOS Safari and a desktop browser.

Step one, encoder → ingest origin: SRT over TLS, with mTLS for authentication. The encoder presents a client certificate provisioned during venue setup; the origin validates it against a venue-scoped CA. The stream cannot be hijacked by anyone who does not hold the private key. This is the TLS-with-client-auth half.

Step two, ingest origin → packager: TLS inside the production VPC. The packager runs in the same private network; the link is mTLS via the service mesh.

Step three, packager → CDN origin: TLS. The CDN's edge nodes fetch HLS segments and manifests over HTTPS from the packager-fronted origin; if the CDN supports it, this leg also uses mTLS for origin protection. CloudFront's origin-mTLS feature has been generally available since February 2026.

Step four, CDN → viewer: TLS. iOS Safari and the desktop browser fetch .m3u8 and .ts (or .mp4 for CMAF) over HTTPS. TLS 1.3 with X25519 key exchange and AES-128-GCM cipher suite. Encrypted Client Hello hides the hostname from on-path observers.

Step five, if the same product offers WebRTC for a low-latency tier: the viewer's browser negotiates ICE candidates with the SFU, performs a DTLS 1.3 handshake over the selected ICE path, and from that point on every RTP packet is SRTP-encrypted with AES-128-GCM.

Five protocols (counting WebRTC's DTLS-then-SRTP as two) covering five legs of the pipeline. Every byte of media is encrypted in transit; every leg has a mutually authenticated identity for the parties at each end.

End-to-end streaming pipeline showing encoder, ingest origin, packager, CDN origin, edge, and viewer, with each leg labelled by the encryption protocol (SRT-over-TLS with mTLS, TLS in-VPC, TLS to CDN, optionally mTLS for origin protection, TLS to viewer). A second branch below shows the WebRTC alternative where DTLS handshake bootstraps SRTP for direct viewer-to-SFU media. Figure 3. Every leg of a 2026 streaming pipeline is encrypted, and every leg has an identity. TLS protects HTTPS legs; SRT-over-TLS protects the live ingest; mTLS proves the parties on both ends of CDN-origin and service-to-service hops; DTLS handshake plus SRTP protects the WebRTC media leg.

Common pitfalls

Pitfall 1: treating "we use HTTPS" as proof of end-to-end encryption. A typical mistake during enterprise security reviews. HTTPS on the viewer leg does not guarantee that the segments were encrypted on the ingest leg, that the CDN-to-origin hop is mutually authenticated, or that the WebRTC media path actually uses SRTP. Each leg needs its own audit.

Pitfall 2: still negotiating DTLS 1.0 or 1.2 on a current media server. Old coturn or Janus configurations sometimes leave DTLS 1.0 enabled "for compatibility". Modern browsers reject it; the call never connects, the logs show only "DTLS handshake failed". Pin the configuration to DTLS 1.2 minimum, DTLS 1.3 preferred. RFC 8996 (March 2021) formally deprecated TLS 1.0 and 1.1 across the industry.

Pitfall 3: forgetting that DTLS-SRTP key material is bound to the call. A common bug in WebRTC stacks is to reuse the DTLS certificate across sessions but assume the SRTP key rotates automatically. The keys derive from the handshake; if you reuse handshakes, you reuse keys. Always generate a fresh DTLS handshake per session, and let RFC 5764 §4.2's exporter handle the SRTP master-key derivation.

Pitfall 4: shipping mTLS with no certificate-rotation runbook. A client certificate expiring at 03:00 on a Saturday — that is the production incident waiting to happen. Use short-lived certificates (24 hours or less for service-to-service, 90 days for ingest encoders) and an automated renewal pipeline. SPIFFE / SPIRE, cert-manager on Kubernetes, and HashiCorp Vault PKI are the three production-grade choices in 2026.

Pitfall 5: relying on AES-CM with HMAC-SHA1 for SRTP on modern hardware. Every CPU shipped since 2010 has AES-NI; every modern mobile SoC has AES acceleration. AES-GCM (RFC 7714) finishes faster, has integrated authentication, and is what every browser actually negotiates first. A media server that defaults to AES-CM in 2026 is leaving CPU and bandwidth on the table.

Where Fora Soft Fits In

Fora Soft has been building WebRTC, video conferencing, OTT, telemedicine, e-learning, surveillance, and AR/VR software since 2005, with 239+ shipped projects. The encryption layer is the part of a streaming product that customers in regulated verticals — telemedicine HIPAA, surveillance evidentiary chain-of-custody, e-learning student-data protection — examine first during procurement. We ship products with DTLS 1.3 negotiated end to end, AES-GCM SRTP, mTLS on every ingest and origin hop, and short-lived certificate rotation through a service-mesh or PKI pipeline, instrumented with handshake-failure dashboards so a misconfigured cipher suite surfaces in minutes rather than during the next quarterly audit.

What to Read Next

Talk to Us / See Our Work / Download

  • Talk to a streaming engineer — book a 30-minute scoping call to review the encryption layer of your streaming product.
  • See our case studies — telemedicine, surveillance, and OTT projects with end-to-end mutual TLS and DTLS-SRTP.
  • Download: Streaming Encryption Configuration Checklist (PDF) — one-page reference covering TLS 1.3 configuration, DTLS 1.3 negotiation, SRTP cipher choice, mTLS certificate rotation, and the audit questions that come up in every enterprise security review.

References

  1. IETF RFC 8446, The Transport Layer Security (TLS) Protocol Version 1.3, E. Rescorla, August 2018. Obsoletes RFC 5246. The controlling specification for TLS 1.3: handshake structure, key schedule, cipher suites, 0-RTT.
  2. IETF RFC 9147, The Datagram Transport Layer Security (DTLS) Protocol Version 1.3, E. Rescorla, H. Tschofenig, N. Modadugu, April 2022. The controlling specification for DTLS 1.3 — same security goals as TLS 1.3, adapted for unreliable datagram transport.
  3. IETF RFC 5764, Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP), D. McGrew, E. Rescorla, May 2010. The combined DTLS-SRTP profile that WebRTC uses; the §4.2 exporter that produces the SRTP master key.
  4. IETF RFC 3711, The Secure Real-time Transport Protocol (SRTP), M. Baugher et al., March 2004. The controlling specification for SRTP and SRTCP — packet format, key derivation, AES-CTR cipher, HMAC-SHA1 authentication, mandatory SRTCP integrity per §3.4.
  5. IETF RFC 7714, AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP), J. Mattsson, M. Westerlund, December 2015. AES-128-GCM and AES-256-GCM SRTP profiles, the modern default cipher for WebRTC media.
  6. IETF RFC 8827, WebRTC Security Architecture, E. Rescorla, January 2021. The architectural document that makes DTLS-SRTP mandatory for every WebRTC media stream.
  7. IETF RFC 8826, Security Considerations for WebRTC, E. Rescorla, January 2021. The companion document analysing the threat model and the rationale for self-signed DTLS certificates bound to the signalling channel.
  8. IETF RFC 8842, Session Description Protocol (SDP) Offer/Answer Considerations for DTLS-SRTP, C. Holmberg, R. Shpount, January 2021. The a=fingerprint: attribute that binds the DTLS certificate to the SDP.
  9. IETF RFC 9849, TLS Encrypted Client Hello, K. Oku, S. Pauly, C. Patton, March 2026. The newly published RFC standardising ECH; encrypts SNI and ALPN to close the last metadata leak in HTTPS.
  10. IETF RFC 8996, Deprecating TLS 1.0 and TLS 1.1, K. Moriarty, S. Farrell, March 2021. The formal industry-wide deprecation of TLS 1.0 / 1.1, with the matching guidance for DTLS.
  11. Apple HLS Authoring Specification, revision 2025-09, §2.1 (HTTPS required for App Store content). The vendor specification that elevates HTTPS from "recommended" to "required" for HLS distribution into Apple platforms.
  12. AWS CloudFront — Origin mutual TLS (general availability, February 2026). First-party deployer documentation for end-to-end origin mTLS in a major CDN.
  13. Cloudflare — Encrypted Client Hello rollout. Documentation of the production ECH deployment that pushed the feature past 30% of HTTPS traffic by Q1 2026.
  14. WebRTC for the Curious — Securing, Pion maintainers. A high-quality open-source secondary reference for DTLS-SRTP in a working WebRTC implementation.

Per §4.3.2, the article follows the controlling IETF specification on every protocol claim. Where vendor documentation describes a behaviour that diverges from the spec (some vendor blogs still describe HMAC-SHA1 as the SRTP "standard" cipher), the article follows RFC 7714 in identifying AES-GCM as the modern default.