[tinfoilhat]

from http://www.webrtc.org/running-the-demos#TOC-Demos : Justin Uberti (Chrome-webrtc team member) has sent in a App Engine based 1:1 video calling app. http://apprtc.appspot.com/ source code: http://code.google.com/p/webrtc-samples/source/browse/trunk/...

after source code reading (and chrome dev console output observing) you have to realize: 1. there is need of 'signaling server' 2. session encryption keys are exchanged through that server

yes, anyone could setup their small server and call through it an make sure tls / ssl cert of their server is intact etc. that will not be a case for avg Joe. not to mention tat browser itself will be an attack vector.