A closer look at Skype for business and Jitsi Meet

This is the final post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Skype for Business and Jitsi Meet.  

Other posts include:

• Tixeo
• BigBlueButton
• Zoom
• Microsoft Teams
• Cisco Webex
• Cisco Webex Teams
• Google Meet
• Bluejeans

To read about our approach to this analysis, understand the target security model we applied, or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail for Cisco Webex or Cisco Webex Team, please read on.

Skype for Business (previously Microsoft Lync and Office Communicator) is a proprietary instant messaging platform developed by Microsoft as part of the Microsoft Office suite. It includes audio, video, chat and file transfer functionality. Skype for Business is integrated in the Microsoft Office suite, notably with Exchange and SharePoint.

Features

This solution initially required the installation of an on-premise Skype server, as well as the set-up of a client on the workstation, but is now integrated into the Office 2019 or 365 suite and is available in the cloud in SaaS mode via Teams. The solution is available on the most popular platforms (Android, iOS, Windows, MacOS) but not GNU / Linux.

Skype interfaces with Exchange to manage the calendar, meetings, presence indicators and document sharing.

Skype for business is charged but the license is included in most of the license packages with Microsoft.

The on-premise version requires the deployment of servers and several software components, including the .NET Framework, Microsoft Server, Microsoft SQL, etc. which are all required on each server. Along with complex network and firewall installations, deploying Skype onsite could be challenging for SME’s.

In September 2017 Microsoft announced that this solution will be abandoned in favor of Microsoft Teams, a new collaborative platform based in the cloud. It is therefore perhaps not a long-term solution.

Results table

Encryption

By applying a standard set of security mechanisms (OAUTH, TLS and Secure Real-Time Transport Protocol (SRTP), data on Skype Business Server is protected over the network[1].

Network communications are encrypted between clients and the server. Encryption keys are owned by Microsoft by default, which is therefore technically able to decrypt client data, even when fully encrypted.

Skype voice messages are encrypted on Microsoft servers, but may not be when they are downloaded to a user’s endpoint. Calls placed to or from the PSTN (the ordinary phone network) are, of course, not encrypted.

In order to avoid compromised-key attacks, the keys used for Skype media encryption are exchanged over TLS connections. Skype for Business servers like the one used for chat use HTTPS to enhance the security of web traffic. Communications are therefore not encrypted end-to-end.

In 2018 Microsoft announced that it would start using the Signal Protocol by Open Whisper Systems to provide full end to end encryption for private conversation via a new via the ‘Private Conversation’ feature for the Skype personal application. The feature is available for all users on Skype iOS, Android, Linux, Mac, and Windows Desktop, but it does not appear that it is available in Skype for Business also.

Authentication

Authentication is via an internal AD account. Azure Active Directory (AAD) provides a single trusted back-end repository for user accounts. Skype for Business Server includes server-to-server authentication using the OAuth protocol.

Applying Modern Authentication – the Microsoft implementation of OAUTH 2.0 – for client to server communication enables security features such as O365 Certificate Based Authentication, O365 Multi-Factor Authentication and O365 Conditional Access[2]. Phone calls, text, One Time Pin or Mobile App Notification are all supported as second factors.

Jurisdiction & Regulation

Like Teams, Skype inherits many of Microsoft’s cloud security maturity, including compliance with most relevant security standards. This means it meets ISO 27001 and 28018 Standards, is both SAAE16 SOC 1 and 2 Compliant, HIPPA Compliant, and meets EU Model Clauses compliance regulations[3]. We could not find any reference to Skype and BSI C5 compliance.

However, Skype is a solution delivered by Microsoft, which falls under the jurisdiction of the United States government. Encryption keys are owned by Microsoft, which is therefore technically able to decrypt client data. Although this would be much less of a concern with an on-prem deployment. This may be of concern to clients operating outside the U.S.A.

If the organization is using the cloud version of Skype for Business then the data will be stored in the organization’s geographic zone, like the rest of the O365 services.

Security Features and Management

Skype for Business Server provides role-based access control (RBAC) to enable you to delegate administrative tasks while maintaining high standards for security.

An administrative portal is available to control security features like the ‘lobby’ and define policies for features like recording and file sharing.

Skype for Business, as well as other Microsoft services, complies with Microsoft Security Development lifecycle that includes the design of an evolutive threat model and the test performances on a regular basis.

Vulnerability & Exploit History

The NIST National Vulnerability Database records 4 vulnerabilities for Skype for Business and Skype for Business Server since the beginning of 2019:

All four these vulnerabilities were rated ‘Medium’ severity and, although vulnerabilities in the full range of Microsoft technologies are constantly being discovered and attacked, it would be fair to argue that Microsoft has robust processes and has developed a strong reputation in this regard.

Jitsi is a free, open-source, instant messaging, audio and video conference application. The solution can be connected to other systems like Google Hangouts, thus allowing interactions with people on other messaging systems. It allows users to make calls on the Internet but also to landline phones and mobile phones.

Features

In our opinion the solution offers more than satisfactory audio and video quality, with no latency observed. Jitsi Meet leverages WebRTC[4] and HTML5[5], which work directly in conventional web browsers, so there is no need to install software even for iOS and Android.

Jitsi server is available as packages for Ubuntu and Debian Linux. It is also possible to install the server on Windows or MacOS devices as a virtual machine.

The solution is also highly interoperable with other messaging and communication systems.

On the downside, the solution requires a dedicated server or servers because the load rises very quickly with the number of users. Installation is within the user’s own infrastructure, which means a complex configuration and continuous upkeep of the servers. Automatic installation exists under certain distributions, but not all, and we would caution that manual set up is not for everyone and might quickly become complex.

Results table

Encryption

Jitsi offers two modes of operation:

• For two people in conversation, the automatic configuration is “Peer-to-Peer”. In this mode the link is directly established between the two people and the encryption is end-to-end.
• For more than two users, or if “Peer-to-Peer” is unavailable, the encryption mode changes. Communications between the client and the server are encrypted, but the encryption is not properly “end-to-end”.

The security of the server hosting the solution is the responsibility of the organization. Jitsi Meet is available from various providers as SaaS, in which case the communications security also depends on the security provided by the hosting solution.

Our understanding is that Jitsi plans to support full E3EE via WebRTC in a future release, but the timelines and details are not clear yet.

Authentication

Jitsi has a different approach to security and privacy than the others discussed here. By default, it does not require users to create an account, and any information users do choose to enter (name, e-mail, etc) is optional and shared exclusively with other meeting participants.  There is no notion of ‘authentication’ in the default operating mode.

However, it is possible to adapt Jitsi’s configuration to interconnect it to a LDAP system or even enforce strong authentication via third party Multi Factor Authentication systems like PrivacyIDEA[6]. It is also possible to add a SAML authentication by installing some additional packages.

The integration of these authentication methods requires sometimes significant adaptation of the default installation[7].

Jurisdiction & Regulation

The Jitsi application is part of a list called “SILL” of free software approved by the French state for government use, which has been maintained by the French state since 2016.

Like BigBlueButton, Jitsi is free and Open Source software. The applicable jurisdiction therefore depends on the country in which the solution and data are hosted. Thus, if the security level of the solution is compliant with laws in some countries, this will not be the same in every country.

The way the software works means that very little personal data is collected, making it easier to comply with GDPR. But to comply with regulations like HIPAA or GDPR, low-level configuration changes need to be made. The solution is published under the Apache v2 License[8], which makes these kinds of changes possible.

Security Features and Management

Jitsi rooms are ephemeral, which means they only exist while the meeting is taking place and are erased when the last participant leaves. Jitsi allows users to set a meeting password but does not provide functions to share the password automatically, for example through an invitation e-mail. Chat logs or stats are kept for the duration of the meeting and then destroyed.

One advantage with Open Source options like Jitsi and BigBlueButton is that they are open source software, meaning it is theoretically possible to audit the source code of the application and to validate it, or even potentially to make changes to it.

Vulnerability & Exploit History

There is one vulnerability  recorded for Jitsi Meet in the NIST National Vulnerability Database in the period since the start of 2019.

However, a medium-severity security bug was recorded with NIST in 2017. As of April 29, 2020, another potentially serious vulnerability is under consideration by NIST. Jitsi has also been impacted by vulnerabilities in other third-party software it leverages.

1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet

• [1] docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/security/tls-and-mtls
• [2] docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/topologies-supported
• [3] docs.microsoft.com/en-us/microsoftteams/security-compliance-overview
• [4] en.wikipedia.org/wiki/WebRTC
• [5] en.wikipedia.org/wiki/HTML5
• [6] github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication
• [7] https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md
• [8] www.gnu.org/licenses/lgpl-3.0.en.html