1. Blog
  2. COVID-19
  3. A closer look at Skype for business and Jitsi Meet

A closer look at Skype for business and Jitsi Meet

This is the final post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Skype for Business and Jitsi Meet.  Posts still to come over the next few days will dive into Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet & BigBlueButton.

To read about our approach to this analysis, understand the target security model we applied, or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail for Cisco Webex or Cisco Webex Team, please read on.

.

Skype for Business

Skype for Business (previously Microsoft Lync and Office Communicator) is a proprietary instant messaging platform developed by Microsoft as part of the Microsoft Office suite. It includes audio, video, chat and file transfer functionality. Skype for Business is integrated in the Microsoft Office suite, notably with Exchange and SharePoint.

Features

This solution initially required the installation of an on-premise Skype server, as well as the set-up of a client on the workstation, but is now integrated into the Office 2019 or 365 suite and is available in the cloud in SaaS mode via Teams. The solution is available on the most popular platforms (Android, iOS, Windows, MacOS) but not GNU / Linux.

Skype interfaces with Exchange to manage the calendar, meetings, presence indicators and document sharing.

Skype for business is charged but the license is included in most of the license packages with Microsoft.

The on-premise version requires the deployment of servers and several software components, including the .NET Framework, Microsoft Server, Microsoft SQL, etc. which are all required on each server. Along with complex network and firewall installations, deploying Skype onsite could be challenging for SME’s.

In September 2017 Microsoft announced that this solution will be abandoned in favor of Microsoft Teams, a new collaborative platform based in the cloud. It is therefore perhaps not a long-term solution.

Results table

Encryption
Uses an appropriate encryption algorithm Fully Skype for Business uses TLS and MTLS to encrypt instant messages. All server-to-server traffic requires MTLS. Media traffic is encrypted using Secure RTP (SRTP), a profile of Real-Time Transport Protocol (RTP) using the Advanced Encryption Standard (AES).
Uses a strong encryption key Fully Skype for Business Web Conferencing server encrypts customer data using AES with a 256-bit key.
Data is encrypted in transit under normal use Fully See https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online
Data stays encrypted on provider servers Unclear See https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online
Voice, Video and Text are all encrypted Fully Skype for Business uses TLS and MTLS to encrypt instant messages, and media traffic is encrypted uses Secure RTP (SRTP) using the Advanced Encryption Standard (AES)
File transfers & session recordings are encrypted Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) Partially Microsoft owns the encryption keys by default. However, customers can provide their own key to encrypt data at rest if they wish.

A full on-premise version is available via Skype for Business Server.

See https://docs.microsoft.com/en-us/microsoft-365/compliance/customer-key-overview?view=o365-worldwide

Encryption implementation has withstood scrutiny over time Fully
Authentication
Administrators can define password security policies Fully Managed by Azure AD.

See https://docs.microsoft.com/en-us/azure/active-directory-domain-services/password-policy

Supports MFA as default Fully Modern Authentication is the Microsoft implementation of OAUTH 2.0 for client to server communication. It enables security features such as Certificate Based Authentication, Multi-Factor Authentication, and Conditional Access.

See https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online

Can integrate with Active Directory or similar Fully
Can integrate with SSO solutions via SAML or similar Fully
Offers RBAC Fully See https://blog.insideo365.com/2016/04/managing-skype-for-business-online-administrator-rights/
Allows passwords to be set for meetings No
Allows meeting password security policies to be set No
Jurisdiction
Headquarters address USA One Microsoft Way, Redmond, Washington, U.S.A
The vendor cannot technically access any data without the client’s consent Partially Microsoft owns the encryption keys by default. However, customers can provide their own key to encrypt data at rest if they wish.
A full on-prem version is available for users who don’t want to trust the vendor Fully https://info.calltower.com/blog/skype4b-online-vs-server-edition
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in Unclear Microsoft do offer a feature called Multi-Geo, however it is only available for Exchange Online and OneDrive, SharePoint Online and Microsoft 365 Groups.

See https://www.microsoft.com/en-gb/microsoft-365/business/multi-geo-capabilities

Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home
Complies with appropriate privacy standards (e.g. FERPA or GDPR). Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home
Provides a transparency report that details information related to requests for data, records, or content. Fully See https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Partially There is a lobby feature.

See https://support.microsoft.com/en-us/office/change-participant-settings-for-skype-for-business-meetings-9175e297-de5f-43b2-8e0f-85cc05e24986

Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully See https://docs.microsoft.com/en-us/skypeforbusiness/set-up-policies-in-your-organization/set-up-conferencing-policies-for-your-organization
Offers clear central control over all security settings Fully See https://techcommunity.microsoft.com/t5/microsoft-teams-blog/announcing-the-new-microsoft-teams-amp-skype-for-business-admin/ba-p/179534
Allows for monitoring and maintenance of endpoint software versions Partially Managed by other Microsoft services if on a Windows device.
Provides compliance features like eDiscovery & Legal Hold Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide and https://docs.microsoft.com/en-us/exchange/policy-and-compliance/holds/holds?view=exchserver-2019
Auditing and Reporting Fully See https://docs.microsoft.com/en-us/skypeforbusiness/skype-for-business-online-reporting/skype-for-business-online-reporting
Additional content security controls like DLP, watermarking, etc. Unclear Microsoft 365 does offer a data loss prevention service but it is not clear to us whether this would apply to Skype for Business.

See https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide

Vulnerability Management
Percentage of NVD 2019 0.02
Percentage of NVD 2020 0.00
Vendor discloses which vulnerabilities have been addressed Partially
Vendor runs a bug bounty Fully https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud?rtc=1

Encryption

By applying a standard set of security mechanisms (OAUTH, TLS and Secure Real-Time Transport Protocol (SRTP), data on Skype Business Server is protected over the network[1].

Network communications are encrypted between clients and the server. Encryption keys are owned by Microsoft by default, which is therefore technically able to decrypt client data, even when fully encrypted.

Skype voice messages are encrypted on Microsoft servers, but may not be when they are downloaded to a user’s endpoint. Calls placed to or from the PSTN (the ordinary phone network) are, of course, not encrypted.

In order to avoid compromised-key attacks, the keys used for Skype media encryption are exchanged over TLS connections. Skype for Business servers like the one used for chat use HTTPS to enhance the security of web traffic. Communications are therefore not encrypted end-to-end.

In 2018 Microsoft announced that it would start using the Signal Protocol by Open Whisper Systems to provide full end to end encryption for private conversation via a new via the ‘Private Conversation’ feature for the Skype personal application. The feature is available for all users on Skype iOS, Android, Linux, Mac, and Windows Desktop, but it does not appear that it is available in Skype for Business also.

Authentication

Authentication is via an internal AD account. Azure Active Directory (AAD) provides a single trusted back-end repository for user accounts. Skype for Business Server includes server-to-server authentication using the OAuth protocol.

Applying Modern Authentication – the Microsoft implementation of OAUTH 2.0 – for client to server communication enables security features such as O365 Certificate Based Authentication, O365 Multi-Factor Authentication and O365 Conditional Access[2]. Phone calls, text, One Time Pin or Mobile App Notification are all supported as second factors.

Jurisdiction & Regulation

Like Teams, Skype inherits many of Microsoft’s cloud security maturity, including compliance with most relevant security standards. This means it meets ISO 27001 and 28018 Standards, is both SAAE16 SOC 1 and 2 Compliant, HIPPA Compliant, and meets EU Model Clauses compliance regulations[3]. We could not find any reference to Skype and BSI C5 compliance.

However, Skype is a solution delivered by Microsoft, which falls under the jurisdiction of the United States government. Encryption keys are owned by Microsoft, which is therefore technically able to decrypt client data. Although this would be much less of a concern with an on-prem deployment. This may be of concern to clients operating outside the U.S.A.

If the organization is using the cloud version of Skype for Business then the data will be stored in the organization’s geographic zone, like the rest of the O365 services.

Security Features and Management

Skype for Business Server provides role-based access control (RBAC) to enable you to delegate administrative tasks while maintaining high standards for security.

An administrative portal is available to control security features like the ‘lobby’ and define policies for features like recording and file sharing.

Skype for Business, as well as other Microsoft services, complies with Microsoft Security Development lifecycle that includes the design of an evolutive threat model and the test performances on a regular basis.

Vulnerability & Exploit History

The NIST National Vulnerability Database records 4 vulnerabilities for Skype for Business and Skype for Business Server since the beginning of 2019:

 

Year Reported NVD Total Percentage
2019 4 17,308 0.02%

 

All four these vulnerabilities were rated ‘Medium’ severity and, although vulnerabilities in the full range of Microsoft technologies are constantly being discovered and attacked, it would be fair to argue that Microsoft has robust processes and has developed a strong reputation in this regard.

Jitsi Meet

Jitsi is a free, open-source, instant messaging, audio and video conference application. The solution can be connected to other systems like Google Hangouts, thus allowing interactions with people on other messaging systems. It allows users to make calls on the Internet but also to landline phones and mobile phones.

Features

In our opinion the solution offers more than satisfactory audio and video quality, with no latency observed. Jitsi Meet leverages WebRTC[4] and HTML5[5], which work directly in conventional web browsers, so there is no need to install software even for iOS and Android.

Jitsi server is available as packages for Ubuntu and Debian Linux. It is also possible to install the server on Windows or MacOS devices as a virtual machine.

The solution is also highly interoperable with other messaging and communication systems.

On the downside, the solution requires a dedicated server or servers because the load rises very quickly with the number of users. Installation is within the user’s own infrastructure, which means a complex configuration and continuous upkeep of the servers. Automatic installation exists under certain distributions, but not all, and we would caution that manual set up is not for everyone and might quickly become complex.

Results table

Encryption
Uses an appropriate encryption algorithm Fully All communication between the clients and HTTPs, the media is encrypted by WebRTC. WebRTC mandates SRTP-DTLS to be used. SRTP uses Advanced Encryption Standard (AES) as the default cipher. See https://www.callstats.io/blog/2018/05/16/explaining-webrtc-secure-real-time-transport-protocol-srtp

Galois/Counter Mode (GCM) is not enabled by default yet as of April 2020.

 

See https://github.com/jitsi/jitsi-meet/wiki/Jitsi-Meet-Encryption

Uses a strong encryption key Fully WebRTC sends real-time audio and video over SRTP (Secure RTP). TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256 curve are the mandatory to implement scheme.

See https://bloggeek.me/is-webrtc-safe/

Data is encrypted in transit under normal use Fully
Data stays encrypted on provider servers No Jitsi Meet uses a P2P mode when there are just 2 participants in a call, providing end-to-end encryption.

When there are more than 2 participants the media gets routed through a Jitsi Videobridge. Then encryption is done hop-by-hop. That is, media is decrypted by the bridge and encrypted again when sending it out.

See https://github.com/jitsi/jitsi-meet/wiki/Jitsi-Meet-Encryption

Voice, Video and Text are all encrypted Fully
File transfers & session recordings are encrypted Partially File transfers will be encrypted by virtue of the WebRTC connection. As far as we can tell stored recordings are not encrypted by the application.
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) N/A Jitsi Meet, for the purposes of this assessment, is an open source self-hosted solution.
Encryption implementation has withstood scrutiny over time Fully
Authentication
Administrators can define password security policies No Accounts, and therefore passwords, are not required, but can be implemented via an LDAP integration.
Supports MFA as default No
Can integrate with Active Directory or similar Fully See https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication
Can integrate with SSO solutions via SAML or similar Fully See https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md
Offers RBAC No By default, all participants can kick or mute others. If Secure Domain is configured, then only the host has moderator privileges.

See https://community.jitsi.org/t/moderator-permissions/24745

Allows passwords to be set for meetings Fully See https://jitsi.org/security/
Allows meeting password security policies to be set No We could not find any reference to meeting password policies.
Jurisdiction
Headquarters address N/A Since Jitsi Meet is an open source and free solution, the applicable laws depend on the laws of the country that decided to implement the solution.
The vendor cannot technically access any data without the client’s consent N/A There is no vendor as this is likely to be a self-hosted solution
A full on-prem version is available for users who don’t want to trust the vendor Fully Jitsi Meet is primarily designed to be an on-prem solution.
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in N/A
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) No
Complies with appropriate privacy standards (e.g. FERPA or GDPR). Partially The way the software works means that very little personal data is collected, making it easier to comply with GDPR.

See https://jitsi.org/meet-jit-si-privacy/

Provides a transparency report that details information related to requests for data, records, or content. No
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. No If Secure Domain is configured, then participants cannot join until the host creates the room. However, a full waiting room feature is due to be released imminently.

See https://community.jitsi.org/t/lobby-waiting-room/27752/45

Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. No We could not find mention of this type of control.
Offers clear central control over all security settings No This is not available as by default no user accounts are used.
Allows for monitoring and maintenance of endpoint software versions No Desktop clients are available but are not managed by the product. Mobile client apps will update automatically from their app store.
Provides compliance features like eDiscovery & Legal Hold No There is no reference to these features, furthermore data is only stored for the duration of the meeting and is then destroyed.
Auditing and Reporting Partially Jitsi Meet does allow some reporting on statistics.

See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/statistics.md

Additional content security controls like DLP, watermarking, etc. Partially There is the ability to change the existing jitsi.org logo watermark to one of your own, this will then display on all meetings.
Vulnerability Management
Percentage of NVD 2019 0.00
Percentage of NVD 2020 0.01
Vendor discloses which vulnerabilities have been addressed Fully There are no vulnerabilities recorded for Jitsi Meet in the NIST National Vulnerability Database in the period since the start of 2019. However, a medium-severity security bug was recorded with NIST in 2017. As of April 29, 2020, another potentially serious vulnerability is under consideration by NIST. Jitsi has also been impacted by vulnerabilities in other third-party software it leverages.
Vendor runs a bug bounty No As Jitsi Meet is open source there is no vendor as such, any issues would be reported and resolved by the community involved with it.

Encryption

Jitsi offers two modes of operation:

  • For two people in conversation, the automatic configuration is “Peer-to-Peer”. In this mode the link is directly established between the two people and the encryption is end-to-end.
  • For more than two users, or if “Peer-to-Peer” is unavailable, the encryption mode changes. Communications between the client and the server are encrypted, but the encryption is not properly “end-to-end”.

The security of the server hosting the solution is the responsibility of the organization. Jitsi Meet is available from various providers as SaaS, in which case the communications security also depends on the security provided by the hosting solution.

Our understanding is that Jitsi plans to support full E3EE via WebRTC in a future release, but the timelines and details are not clear yet.

Authentication

Jitsi has a different approach to security and privacy than the others discussed here. By default, it does not require users to create an account, and any information users do choose to enter (name, e-mail, etc) is optional and shared exclusively with other meeting participants.  There is no notion of ‘authentication’ in the default operating mode.

However, it is possible to adapt Jitsi’s configuration to interconnect it to a LDAP system or even enforce strong authentication via third party Multi Factor Authentication systems like PrivacyIDEA[6]. It is also possible to add a SAML authentication by installing some additional packages.

The integration of these authentication methods requires sometimes significant adaptation of the default installation[7].

Jurisdiction & Regulation

The Jitsi application is part of a list called “SILL” of free software approved by the French state for government use, which has been maintained by the French state since 2016.

Like BigBlueButton, Jitsi is free and Open Source software. The applicable jurisdiction therefore depends on the country in which the solution and data are hosted. Thus, if the security level of the solution is compliant with laws in some countries, this will not be the same in every country.

The way the software works means that very little personal data is collected, making it easier to comply with GDPR. But to comply with regulations like HIPAA or GDPR, low-level configuration changes need to be made. The solution is published under the Apache v2 License[8], which makes these kinds of changes possible.

Security Features and Management

Jitsi rooms are ephemeral, which means they only exist while the meeting is taking place and are erased when the last participant leaves. Jitsi allows users to set a meeting password but does not provide functions to share the password automatically, for example through an invitation e-mail. Chat logs or stats are kept for the duration of the meeting and then destroyed.

One advantage with Open Source options like Jitsi and BigBlueButton is that they are open source software, meaning it is theoretically possible to audit the source code of the application and to validate it, or even potentially to make changes to it.

Vulnerability & Exploit History

There is one vulnerability  recorded for Jitsi Meet in the NIST National Vulnerability Database in the period since the start of 2019.

Year Reported NVD Total Percentage
2020 1 8,022 0.01%

 

However, a medium-severity security bug was recorded with NIST in 2017. As of April 29, 2020, another potentially serious vulnerability is under consideration by NIST. Jitsi has also been impacted by vulnerabilities in other third-party software it leverages.

 


1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet


Sources

[1] https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/security/tls-and-mtls
[2] https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/topologies-supported
[3] https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview
[4] https://en.wikipedia.org/wiki/WebRTC
[5] https://en.wikipedia.org/wiki/HTML5
[6] https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication
[7] https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md
[8] https://www.gnu.org/licenses/lgpl-3.0.en.html


Authors

Head of Security Research

Charl van der Walt

Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.

Senior Consultant Cybersecurity

Quentin Aguesse

Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialised in risk assessment , disaster recovery planning, as well as cybersecurity awareness.

Consultant Cybersecurity

Jérôme Mauvais

As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along his career for his great capacities of knowledge transmission.

Lead Security Researcher (MSIS Labs)

Carl Morris

Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.


Share