Securing the signaling server
What we have built so far has been in the spirit of teaching a single part of the WebRTC API. This means many shortcuts were taken and we sacrificed performance and security to make it easier to learn. Our signaling server, although it works, is simple in nature and can be upgraded to support a much larger set of features.
Using encryption
The largest and most obvious upgrade is mandatory encryption of the signaling server. Encrypting the messages of the signaling server will ensure that no one can intercept a message to the server, thus figuring out which clients are talking to whom. This is easily the largest gap in security that the signaling server we built has right now. It is also the easiest to patch up since encryption is a highly standardized and widely used technology on the Web today.
The two standard encryption methods for our signaling server are HTTPS and WSS. You should recognize HTTPS by now as the standard SSL encryption for websites over HTTP...