The BondiSuite team has selected the best open source software to develop a suite of services that our customers can rely on. That means, amongst other things, we are very mindful of the security and privacy aspects that affect our customers. In this note we are going to go through some practical use cases within the BondiVideo implementation.
Is BondiVideo is fully secure? What does this really mean?
BondiVideo meetings are simply private by design. To begin with:
- all meeting rooms are ephemeral: they only exist while the meeting is actually taking place
- they get created when the first participant joins the conference, and they are destroyed when the last one leaves
- If someone joins the same room again, a brand-new meeting is created with the same name without connection to any previous meeting that might have been held with the same name.
- It is not possible to “pre-create” rooms, that let a potential attacker distinguish reserved from unreserved meetings which then makes the reserved meetings easier to identify and target.
Our customers have to be really careful about how they choose meeting’s name and advertise them. We don’t want other people accidentally stumbling into your meetings. The meeting’s name is sensitive and needs to be protected. You shouldn’t send it to anyone you do not want in your meeting. Advertising this name publicly, for example on social media, is something you should only ever do if you truly are comfortable with maximum exposure and the possibility of unwelcome visitors.
Then there’s the matter of choosing the name. If you start a meeting with the name “Test”, “ProspectsReview” or “MondayMeeting” for example, chances of having some random uninvited people joining are very, very high. How does one pick a good room name then? You have to pick a name and make sure it is long enough. BondiVideo also give users the option to set a meeting password. A few important things to keep in mind: if you do set a password, it is your responsibility to communicate it to your peers. More importantly, keep in mind that your password, just as chat and speaker stats, will be reset once the last person leaves the room. So you have to make sure that you set the password again, if you find yourself ending the meeting and then rejoining. A similar approach you might consider would be to append a random character sequence at the end of your room name.
Anyone can mute or kick me out of my meeting, what’s up with that?
BondiVideo models its meetings after in-person gatherings. Take the case of 8 people having a discussion in a room. You wouldn’t expect one person to have exclusive “kick” and “mute” privileges in an in-person meeting and yet, those meetings usually go fine.
In the vast majority of cases, moderation controls in online meetings serve a different purpose: they help address technical related issues, such as people not realizing their microphones are introducing noise, or people forgetting to leave. Moderation controls help you solve those, so that people can continue their conversation. And now, with that in mind, why wouldn’t you want to enable anyone in the meeting to help solve these kinds of issues? For that reason, our moderation controls are soft, and for everyone.
Are my meetings encrypted? Is encryption end-to-end?
- BondiVideo meetings can operate in 2 ways: peer-to-peer (P2P) or via the BondiVideo Videobridge (JVB). This is transparent to the user. P2P mode is only used for 1-to-1 meetings. In this case, audio and video are encrypted using DTLS-SRTP all the way from the sender to the receiver, even if they traverse network components like TURN servers.
- In the case of multiparty meetings all audio and video traffic is still encrypted on the network (again, using DTLS-SRTP). Packets are decrypted while traversing BondiVideo Videobridge, however they are never stored to any persistent storage and only live in memory while being routed to other participants in the meeting. Our customers own a private AWS server.
Since BondiVideo is built on top of Jitsi and WebRTC, a deeper look into its security architecture is very important when evaluating BondiVideo’s security aspects. The media is decrypted in BondiVideo Videobridge as currently there is no way to do without this in WebRTC. At the moment WebRTC has no way to negotiate multi-party encryption over a single connection. Every client sets up a separate crypto context with the video router, which then has to trans-crypt the data as it relays it from one client to another. However, the folks from the WebRTC team are working on providing the necessary APIs in the browser so applications can add an additional layer of encryption that would allow apps to add an end-to-end encryption layer while still allowing Selective Forwarding Units to function. You can bet we will be all over this as soon as possible.
What do you do with my data?
Our customer can buy a recording option. In this case, recordings are kept on customer’s server.