Yep the cloudflare worker is in the chain of trust for e2e. There’s an attack vector with signalling servers where you can alter the SDP. This won’t allow MITM but would cause you to connect to the attacker who could then pretend to be the person you were connecting to.
That said, if your users can trust you’ve deployed this worker and that the worker doesn’t hijack the SDP, the e2e would be legit beyond that bit of trust. TURN doesn’t see the clear RTP payloads nor does the signalling server.
That said, if your users can trust you’ve deployed this worker and that the worker doesn’t hijack the SDP, the e2e would be legit beyond that bit of trust. TURN doesn’t see the clear RTP payloads nor does the signalling server.