A closer look at Skype for business and Jitsi Meet
This is the final post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Skype for Business and Jitsi Meet. Posts still to come over the next few days will dive into Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet & BigBlueButton.
Skype for Business (previously Microsoft Lync and Office Communicator) is a proprietary instant messaging platform developed by Microsoft as part of the Microsoft Office suite. It includes audio, video, chat and file transfer functionality. Skype for Business is integrated in the Microsoft Office suite, notably with Exchange and SharePoint.
This solution initially required the installation of an on-premise Skype server, as well as the set-up of a client on the workstation, but is now integrated into the Office 2019 or 365 suite and is available in the cloud in SaaS mode via Teams. The solution is available on the most popular platforms (Android, iOS, Windows, MacOS) but not GNU / Linux.
Skype interfaces with Exchange to manage the calendar, meetings, presence indicators and document sharing.
Skype for business is charged but the license is included in most of the license packages with Microsoft.
The on-premise version requires the deployment of servers and several software components, including the .NET Framework, Microsoft Server, Microsoft SQL, etc. which are all required on each server. Along with complex network and firewall installations, deploying Skype onsite could be challenging for SME’s.
In September 2017 Microsoft announced that this solution will be abandoned in favor of Microsoft Teams, a new collaborative platform based in the cloud. It is therefore perhaps not a long-term solution.
|Uses an appropriate encryption algorithm||Fully||Skype for Business uses TLS and MTLS to encrypt instant messages. All server-to-server traffic requires MTLS. Media traffic is encrypted using Secure RTP (SRTP), a profile of Real-Time Transport Protocol (RTP) using the Advanced Encryption Standard (AES).|
|Uses a strong encryption key||Fully||Skype for Business Web Conferencing server encrypts customer data using AES with a 256-bit key.|
|Data is encrypted in transit under normal use||Fully||See https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online|
|Data stays encrypted on provider servers||Unclear||See https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online|
|Voice, Video and Text are all encrypted||Fully||Skype for Business uses TLS and MTLS to encrypt instant messages, and media traffic is encrypted uses Secure RTP (SRTP) using the Advanced Encryption Standard (AES)|
|File transfers & session recordings are encrypted||Fully||See https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide|
|Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE)||Partially||Microsoft owns the encryption keys by default. However, customers can provide their own key to encrypt data at rest if they wish.
A full on-premise version is available via Skype for Business Server.
|Encryption implementation has withstood scrutiny over time||Fully|
|Administrators can define password security policies||Fully||Managed by Azure AD.|
|Supports MFA as default||Fully||Modern Authentication is the Microsoft implementation of OAUTH 2.0 for client to server communication. It enables security features such as Certificate Based Authentication, Multi-Factor Authentication, and Conditional Access.|
|Can integrate with Active Directory or similar||Fully|
|Can integrate with SSO solutions via SAML or similar||Fully|
|Offers RBAC||Fully||See https://blog.insideo365.com/2016/04/managing-skype-for-business-online-administrator-rights/|
|Allows passwords to be set for meetings||No|
|Allows meeting password security policies to be set||No|
|Headquarters address||USA||One Microsoft Way, Redmond, Washington, U.S.A|
|The vendor cannot technically access any data without the client’s consent||Partially||Microsoft owns the encryption keys by default. However, customers can provide their own key to encrypt data at rest if they wish.|
|A full on-prem version is available for users who don’t want to trust the vendor||Fully||https://info.calltower.com/blog/skype4b-online-vs-server-edition|
|For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in||Unclear||Microsoft do offer a feature called Multi-Geo, however it is only available for Exchange Online and OneDrive, SharePoint Online and Microsoft 365 Groups.|
|Complies with appropriate security certifications (e.g. ISO27002 or BSI C5)||Fully||See https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home|
|Complies with appropriate privacy standards (e.g. FERPA or GDPR).||Fully||See https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home|
|Provides a transparency report that details information related to requests for data, records, or content.||Fully||See https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report|
|Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc.||Partially||There is a lobby feature.|
|Allows granular control over in-meeting actions like screen sharing, file transfer, remote control.||Fully||See https://docs.microsoft.com/en-us/skypeforbusiness/set-up-policies-in-your-organization/set-up-conferencing-policies-for-your-organization|
|Offers clear central control over all security settings||Fully||See https://techcommunity.microsoft.com/t5/microsoft-teams-blog/announcing-the-new-microsoft-teams-amp-skype-for-business-admin/ba-p/179534|
|Allows for monitoring and maintenance of endpoint software versions||Partially||Managed by other Microsoft services if on a Windows device.|
|Provides compliance features like eDiscovery & Legal Hold||Fully||See https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide and https://docs.microsoft.com/en-us/exchange/policy-and-compliance/holds/holds?view=exchserver-2019|
|Auditing and Reporting||Fully||See https://docs.microsoft.com/en-us/skypeforbusiness/skype-for-business-online-reporting/skype-for-business-online-reporting|
|Additional content security controls like DLP, watermarking, etc.||Unclear||Microsoft 365 does offer a data loss prevention service but it is not clear to us whether this would apply to Skype for Business.|
|Percentage of NVD 2019||0.02|
|Percentage of NVD 2020||0.00|
|Vendor discloses which vulnerabilities have been addressed||Partially|
|Vendor runs a bug bounty||Fully||https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud?rtc=1|
By applying a standard set of security mechanisms (OAUTH, TLS and Secure Real-Time Transport Protocol (SRTP), data on Skype Business Server is protected over the network.
Network communications are encrypted between clients and the server. Encryption keys are owned by Microsoft by default, which is therefore technically able to decrypt client data, even when fully encrypted.
Skype voice messages are encrypted on Microsoft servers, but may not be when they are downloaded to a user’s endpoint. Calls placed to or from the PSTN (the ordinary phone network) are, of course, not encrypted.
In order to avoid compromised-key attacks, the keys used for Skype media encryption are exchanged over TLS connections. Skype for Business servers like the one used for chat use HTTPS to enhance the security of web traffic. Communications are therefore not encrypted end-to-end.
In 2018 Microsoft announced that it would start using the Signal Protocol by Open Whisper Systems to provide full end to end encryption for private conversation via a new via the ‘Private Conversation’ feature for the Skype personal application. The feature is available for all users on Skype iOS, Android, Linux, Mac, and Windows Desktop, but it does not appear that it is available in Skype for Business also.
Authentication is via an internal AD account. Azure Active Directory (AAD) provides a single trusted back-end repository for user accounts. Skype for Business Server includes server-to-server authentication using the OAuth protocol.
Applying Modern Authentication – the Microsoft implementation of OAUTH 2.0 – for client to server communication enables security features such as O365 Certificate Based Authentication, O365 Multi-Factor Authentication and O365 Conditional Access. Phone calls, text, One Time Pin or Mobile App Notification are all supported as second factors.
Jurisdiction & Regulation
Like Teams, Skype inherits many of Microsoft’s cloud security maturity, including compliance with most relevant security standards. This means it meets ISO 27001 and 28018 Standards, is both SAAE16 SOC 1 and 2 Compliant, HIPPA Compliant, and meets EU Model Clauses compliance regulations. We could not find any reference to Skype and BSI C5 compliance.
However, Skype is a solution delivered by Microsoft, which falls under the jurisdiction of the United States government. Encryption keys are owned by Microsoft, which is therefore technically able to decrypt client data. Although this would be much less of a concern with an on-prem deployment. This may be of concern to clients operating outside the U.S.A.
If the organization is using the cloud version of Skype for Business then the data will be stored in the organization’s geographic zone, like the rest of the O365 services.
Security Features and Management
Skype for Business Server provides role-based access control (RBAC) to enable you to delegate administrative tasks while maintaining high standards for security.
An administrative portal is available to control security features like the ‘lobby’ and define policies for features like recording and file sharing.
Skype for Business, as well as other Microsoft services, complies with Microsoft Security Development lifecycle that includes the design of an evolutive threat model and the test performances on a regular basis.
Vulnerability & Exploit History
The NIST National Vulnerability Database records 4 vulnerabilities for Skype for Business and Skype for Business Server since the beginning of 2019:
All four these vulnerabilities were rated ‘Medium’ severity and, although vulnerabilities in the full range of Microsoft technologies are constantly being discovered and attacked, it would be fair to argue that Microsoft has robust processes and has developed a strong reputation in this regard.
Jitsi is a free, open-source, instant messaging, audio and video conference application. The solution can be connected to other systems like Google Hangouts, thus allowing interactions with people on other messaging systems. It allows users to make calls on the Internet but also to landline phones and mobile phones.
In our opinion the solution offers more than satisfactory audio and video quality, with no latency observed. Jitsi Meet leverages WebRTC and HTML5, which work directly in conventional web browsers, so there is no need to install software even for iOS and Android.
Jitsi server is available as packages for Ubuntu and Debian Linux. It is also possible to install the server on Windows or MacOS devices as a virtual machine.
The solution is also highly interoperable with other messaging and communication systems.
On the downside, the solution requires a dedicated server or servers because the load rises very quickly with the number of users. Installation is within the user’s own infrastructure, which means a complex configuration and continuous upkeep of the servers. Automatic installation exists under certain distributions, but not all, and we would caution that manual set up is not for everyone and might quickly become complex.
|Uses an appropriate encryption algorithm||Fully||All communication between the clients and HTTPs, the media is encrypted by WebRTC. WebRTC mandates SRTP-DTLS to be used. SRTP uses Advanced Encryption Standard (AES) as the default cipher. See https://www.callstats.io/blog/2018/05/16/explaining-webrtc-secure-real-time-transport-protocol-srtp
Galois/Counter Mode (GCM) is not enabled by default yet as of April 2020.
|Uses a strong encryption key||Fully||WebRTC sends real-time audio and video over SRTP (Secure RTP). TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256 curve are the mandatory to implement scheme.|
|Data is encrypted in transit under normal use||Fully|
|Data stays encrypted on provider servers||No||Jitsi Meet uses a P2P mode when there are just 2 participants in a call, providing end-to-end encryption.
When there are more than 2 participants the media gets routed through a Jitsi Videobridge. Then encryption is done hop-by-hop. That is, media is decrypted by the bridge and encrypted again when sending it out.
|Voice, Video and Text are all encrypted||Fully|
|File transfers & session recordings are encrypted||Partially||File transfers will be encrypted by virtue of the WebRTC connection. As far as we can tell stored recordings are not encrypted by the application.|
|Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE)||N/A||Jitsi Meet, for the purposes of this assessment, is an open source self-hosted solution.|
|Encryption implementation has withstood scrutiny over time||Fully|
|Administrators can define password security policies||No||Accounts, and therefore passwords, are not required, but can be implemented via an LDAP integration.|
|Supports MFA as default||No|
|Can integrate with Active Directory or similar||Fully||See https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication|
|Can integrate with SSO solutions via SAML or similar||Fully||See https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md|
|Offers RBAC||No||By default, all participants can kick or mute others. If Secure Domain is configured, then only the host has moderator privileges.|
|Allows passwords to be set for meetings||Fully||See https://jitsi.org/security/|
|Allows meeting password security policies to be set||No||We could not find any reference to meeting password policies.|
|Headquarters address||N/A||Since Jitsi Meet is an open source and free solution, the applicable laws depend on the laws of the country that decided to implement the solution.|
|The vendor cannot technically access any data without the client’s consent||N/A||There is no vendor as this is likely to be a self-hosted solution|
|A full on-prem version is available for users who don’t want to trust the vendor||Fully||Jitsi Meet is primarily designed to be an on-prem solution.|
|For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in||N/A|
|Complies with appropriate security certifications (e.g. ISO27002 or BSI C5)||No|
|Complies with appropriate privacy standards (e.g. FERPA or GDPR).||Partially||The way the software works means that very little personal data is collected, making it easier to comply with GDPR.|
|Provides a transparency report that details information related to requests for data, records, or content.||No|
|Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc.||No||If Secure Domain is configured, then participants cannot join until the host creates the room. However, a full waiting room feature is due to be released imminently.|
|Allows granular control over in-meeting actions like screen sharing, file transfer, remote control.||No||We could not find mention of this type of control.|
|Offers clear central control over all security settings||No||This is not available as by default no user accounts are used.|
|Allows for monitoring and maintenance of endpoint software versions||No||Desktop clients are available but are not managed by the product. Mobile client apps will update automatically from their app store.|
|Provides compliance features like eDiscovery & Legal Hold||No||There is no reference to these features, furthermore data is only stored for the duration of the meeting and is then destroyed.|
|Auditing and Reporting||Partially||Jitsi Meet does allow some reporting on statistics.|
|Additional content security controls like DLP, watermarking, etc.||Partially||There is the ability to change the existing jitsi.org logo watermark to one of your own, this will then display on all meetings.|
|Percentage of NVD 2019||0.00|
|Percentage of NVD 2020||0.01|
|Vendor discloses which vulnerabilities have been addressed||Fully||There are no vulnerabilities recorded for Jitsi Meet in the NIST National Vulnerability Database in the period since the start of 2019. However, a medium-severity security bug was recorded with NIST in 2017. As of April 29, 2020, another potentially serious vulnerability is under consideration by NIST. Jitsi has also been impacted by vulnerabilities in other third-party software it leverages.|
|Vendor runs a bug bounty||No||As Jitsi Meet is open source there is no vendor as such, any issues would be reported and resolved by the community involved with it.|
Jitsi offers two modes of operation:
- For two people in conversation, the automatic configuration is “Peer-to-Peer”. In this mode the link is directly established between the two people and the encryption is end-to-end.
- For more than two users, or if “Peer-to-Peer” is unavailable, the encryption mode changes. Communications between the client and the server are encrypted, but the encryption is not properly “end-to-end”.
The security of the server hosting the solution is the responsibility of the organization. Jitsi Meet is available from various providers as SaaS, in which case the communications security also depends on the security provided by the hosting solution.
Our understanding is that Jitsi plans to support full E3EE via WebRTC in a future release, but the timelines and details are not clear yet.
Jitsi has a different approach to security and privacy than the others discussed here. By default, it does not require users to create an account, and any information users do choose to enter (name, e-mail, etc) is optional and shared exclusively with other meeting participants. There is no notion of ‘authentication’ in the default operating mode.
However, it is possible to adapt Jitsi’s configuration to interconnect it to a LDAP system or even enforce strong authentication via third party Multi Factor Authentication systems like PrivacyIDEA. It is also possible to add a SAML authentication by installing some additional packages.
The integration of these authentication methods requires sometimes significant adaptation of the default installation.
Jurisdiction & Regulation
The Jitsi application is part of a list called “SILL” of free software approved by the French state for government use, which has been maintained by the French state since 2016.
Like BigBlueButton, Jitsi is free and Open Source software. The applicable jurisdiction therefore depends on the country in which the solution and data are hosted. Thus, if the security level of the solution is compliant with laws in some countries, this will not be the same in every country.
The way the software works means that very little personal data is collected, making it easier to comply with GDPR. But to comply with regulations like HIPAA or GDPR, low-level configuration changes need to be made. The solution is published under the Apache v2 License, which makes these kinds of changes possible.
Security Features and Management
Jitsi rooms are ephemeral, which means they only exist while the meeting is taking place and are erased when the last participant leaves. Jitsi allows users to set a meeting password but does not provide functions to share the password automatically, for example through an invitation e-mail. Chat logs or stats are kept for the duration of the meeting and then destroyed.
One advantage with Open Source options like Jitsi and BigBlueButton is that they are open source software, meaning it is theoretically possible to audit the source code of the application and to validate it, or even potentially to make changes to it.
Vulnerability & Exploit History
There is one vulnerability recorded for Jitsi Meet in the NIST National Vulnerability Database in the period since the start of 2019.
However, a medium-severity security bug was recorded with NIST in 2017. As of April 29, 2020, another potentially serious vulnerability is under consideration by NIST. Jitsi has also been impacted by vulnerabilities in other third-party software it leverages.
1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet
Head of Security Research
Charl van der Walt
Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.
Senior Consultant Cybersecurity
Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialised in risk assessment , disaster recovery planning, as well as cybersecurity awareness.
As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along his career for his great capacities of knowledge transmission.
Lead Security Researcher (MSIS Labs)
Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.