Update: Zoom has added end-to-end encryption (E2EE). Jitsi has also added E2EE for the latest browsers. Some parts were edited to reflect these changes.

The pandemic has changed many things that effect security for companies and individuals alike. Many more people are working from home and spending a lot of time on their computer. Also all the hackers and crackers are confined to their battle stations, which for them may be more normal. Anyway,  somehow everyone is finding themselves spending more time online. One thing that people are doing a lot more, whether by choice or lack of options, is video conferencing. I did a little digging and here are my findings on the security of common solutions. I'm looking at solutions that allow more the two people to chat with video. Otherwise I would just recommend Signal.

Update: Here is a very informative report on video conferencing platforms by CR.

On video conferencing security

Tool encryption overview

End-to-End encrypted video conferencing options

  • Jitsi Meet
  • Facetime (Apple only)
  • Wire (paid option)
  • WhatsApp (max 4 users)
  • Webex (turn on manually)
  • Skype
  • Zoom

Transport layer encrypted, where the server admin can access traffic

  • Google Meet
  • MS Teams

This category seems to be collection of WebRTC tools that are all variations of the same specification. Most of today's web based video chat solutions are made with what is the only standard supported by most browsers. Therefore they are very close to each other in their quality. The main differences are what tools you can integrate and which company can you trust with your data. It in fact looks like the more secure software is using custom protocols at the moment. Though I have heard that better privacy and encryption options are in the pipeline for WebRTC as well.

More on security

People having more time in quarantine has manifested in much more reports on regular security issues with common tools, like Zoom, which people use for video conferencing. In my mind the main revelations are that Zoom has had a somewhat careless attitude on software development and marketing in general. On top of that they have allowed a few key issues to go wrong in a bad way. Contrary to how everyone else markets their encryption, Zoom managed to claim their video to be End-to-End encrypted, when it really is processed and readable on the server, so not E2E at all (though this has now changed recently). Secondly, they issued encryption keys on their servers so that they will always have a copy, which further exposes the user to snooping, be it lawful or not. They also managed to use the worst possible encryption setting for AES, which is the ECB mode. The flaws are illustrated well in this article at The Intercept and on Wikipedia. I have attached the example images below as well. Last but certainly not the least, it seems that some of the encryption keys have been generated on Chinese servers. Operating infrastructure in both China and The US, leaves this software open to two of the major powers that people or companies may wish to keep their discussions private from.

Unencrypted badly encrypted

A lot of this is very technical and in the end the damage is not as bad as it looks. Security enthusiasts were already avoiding extra client software installs, and most people do not have much to lose if governments end up hearing their conversations. The main risk would be something political or relating to bigger business secrets that may offer an economic advantage. Though Zoom has not been free of other exploitable security vulnerabilities either, but they are being fixed. Update: Zoom currently offers end-to-end encryption on all levels of service.

Pricing

From my online research on the pricing of video conferencing services, it seems that there are roughly three tiers of services. The well known affordable or free SaaS options that cost 0-30 moneyz per host. Then there are some privately installed or federated services that are often billed by user at 30-50 money/user. The third option often includes hardware and custom installation with widescreen TV's and top of the line webcams. I'm sure you can pay as much as you want for this option, but the entry level seems to be around a few thousand moneyz.

My suggestion

Like I said, as long as you are having a beer with a friend or playing cards online to pass your quarantine, most of this is not really an issue. For those who want to have security, there are some usable options. Paid services always require you to trust the provider in some way, so running your own system may feel like a solid option. It is a very workable solution, but requires work, upkeep and resources in a different way. Something like Cisco's Webex offers even E2E encryption (if you turn it on), but may cost you money and you have to trust both the company and the country where it is based.

For a solution that tries to mitigate the issues with trusting outside service providers, I made a containerized version of Jitsi Meet. It's an open source web based video conferencing solution. Though the free servers are in the US, which brings in the issues of latency for the video round trip and the jurisdictional liability. This is why there is an important difference in hosting your own ( less so with the current more secure version). This way you are in control of logs, any data in motion and TLS certificates etc. Which is much closer to comprehensive security, even though it was not e2e (it is now if you enable it). It can also be run conveniently in Docker. For a reasonable size company or hobby group, Jitsi Meet as a private install offers control over the data and security. A private server will end up costing about the same as a single user on an external service, not counting time for updates and such, which can be mostly automated anyway. Additionally this way of using it will leak less metadata to third parties than using a hosted service.

For the truly paranoid company, you could always set up your video conferencing service inside a VPN. Though even a VPN will not give you End-to-End encryption in this case. But I would say the level of protection is high enough. I'll write about setting up your own VPN in the future.

If you are four people or less, there is likely an app you already have that supports E2E encryption. Whatsapp does allow multi user calls, but sadly only up to four people in the same call. Or if everyone has an Apple device you can do FaceTime.

Update: Now you can use even the public Jitsi Meet and have E2EE to protect your content form outsiders who are not in on the call. Running your own will still give bandwidth benefits and prevent meta data from leaking to third parties. Zoom also updated their system to support E2EE, but their source code is less visible and there is the risk that it was implemented with similar diligence as their previous security measures.

Sources

I'm interested in helping out your company if you need tools to survive the quarantine with heavier than usual remote working requirements. I  have a very usable temporary solution based on open source tools for small to medium sized companies.

~ Read next post in security ~

On securing communication and your data

Posted by Peter

3 min read