1. Blog
  2. COVID-19
  3. Tixeo and BigBlueButton

Tixeo and BigBlueButton

This is the fifth post in a six-part series of blogs examining the security of various Video Conferencing products for business. In this post we examine Tixeo and BigBlueButton. Posts still to come over the next few days will dive into Skype for Business, and Jitsi Meet, or you can look back in the series to read about Zoom, Microsoft Teams, Cisco Webex, Cisco Webex Teams, Google Meet and Bluejeans

To read about our approach to this analysis, understand the target security model we applied or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail on Tixeo or BigBlueButton, please read on.

Tixeo

Based in Montpellier, France, Tixeo offers a set of secure teleconferencing solutions. The company has several references and has made security of communications a priority. Tixeo allows you to organize video conferences, share your screen and give remote control.

Tixeo’s solution is commercial only and offers three operating modes:

  • Shared cloud, via two offerings (standard and premium, allowing the interconnection of other traditional videoconferencing systems),
  • Private cloud, operated by Tixeo,
  • Server version – on-premise.

The company also offers a supply of equipment (cameras, screens, etc.) for videoconferencing.

Features

The solution is available on the most user platforms (Android, iOS, Windows, MacOS and GNU / Linux). Users require a specific account and password which need to be provisioned beforehand.

Tixeo requires the installation of a ‘thick’ client by the user, and the Tixeo server version requires the installation of a server-side application, along with the required server and network configuration.

The solution does not allow for access to the conference via the telephone network.

Tixeo may not necessarily be suitable for small organizations or ad hoc needs due to its business model.

Results table

Encryption
Uses an appropriate encryption algorithm Fully AES 256
Uses a strong encryption key Fully AES 256
Data is encrypted in transit under normal use Fully https://www.tixeo.com/wp-content/uploads/2017/10/schema_archi_chiffrement-tixeo_EN.pdf
Data stays encrypted on provider servers Fully Tixeo advertises, even in multipoint meetings, a ‘real’ end-to-end encryption (from client to client) of audio, video & data streams while passing through a server. This claim is validated under their ANSSI CSPN certification for the on-premise deployment of the product. See https://www.tixeo.com/wp-content/uploads/2017/10/schema_archi_chiffrement-tixeo_EN.pdf and https://www.ssi.gouv.fr/uploads/2017/03/anssi-cspn-2017_08fr.pdf
Voice, Video and Text are all encrypted Fully See https://www.tixeo.com/wp-content/uploads/2017/10/schema_archi_chiffrement-tixeo_EN.pdf
File transfers & session recordings are encrypted Partially File transfers are encrypted end to end. We could not find any details about the storage of meeting recordings, especially when used for streaming on the cloud.
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) Partially Tixeo advertises ‘true’ end-to-end encryption for multipoint video conferencing but without providing detail on how that is achieved or how keys are managed. A cloud-streaming feature suggests a mechanism whereby recordings are streamed in the clear. See https://www.tixeo.com/tixeo-launches-new-recording-broadcasting-service/

However, a full on-premise version is available and claims French ANSSI ‘CSPN’ certification. See https://www.ssi.gouv.fr/administration/produits-certifies/cspn/

Encryption implementation has withstood scrutiny over time Fully Also claims French ANSSI ‘CSPN’ certification. See https://www.ssi.gouv.fr/administration/produits-certifies/cspn/
Authentication
Administrators can define password security policies Unclear Users have to have an account to use the service and only invited participants are able to join a meeting. We could not find any reference to password settings, however.
Supports MFA as default Unclear Could find no reference to MFA.
Can integrate with Active Directory or similar Fully It is possible to interconnect the solution to an LDAP directory or the company’s Active Directory in a read-only mode. This integration avoids the need to create a specific account to connect to Tixeo but, according to the information available, it is not an SSO solution. It allows users to log in with their corporate account. Access to meetings is only granted to invited members (within the company or external) and participants must enter their email address and password in order to access the meeting
Can integrate with SSO solutions via SAML or similar Unclear Could not find any reference to SSO support.
Offers RBAC Unclear No reference to RBAC could be found.
Allows passwords to be set for meetings No Users have to have an account to use the service and only invited participants are able to join a meeting.
Allows meeting password security policies to be set No
Jurisdiction
Headquarters address France Montpellier FRANCE
The vendor cannot technically access any data without the client’s consent Partially Tixeo advertises ‘true’ end-to-end encryption. It’s not clear how recordings of meetings are stored.
A full on-prem version is available for users who don’t want to trust the vendor Fully A full on-premise version is available and Tixeo claims French ANSSI ‘CSPN’ certification. See https://www.ssi.gouv.fr/administration/produits-certifies/cspn/
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in Unclear It is not mentioned that this feature is available as part of the service. However, Tixeo’s Smart Meeting Grid technology allows the customer to set up its communication servers network in the regions of its choice.
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) Fully Tixeo’s technology is certified (CSPN) and qualified (Elementary qualification) by the National Cybersecurity Agency of France (ANSSI).
Complies with appropriate privacy standards (e.g. FERPA or GDPR). Fully Tixeo’s privacy policy states that they fully comply with GDPR regulations.

See https://www.tixeo.com/visioconference-securisee/privacy/

Provides a transparency report that details information related to requests for data, records, or content. No No mention of a transparency report could be found.

Their privacy policy does state that “in certain cases, we may transmit your personal data to third parties. These cases may be: “a requisition required by law, a court order or a decision made by a competent public authority and for the purpose of maintaining order.”

Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Unclear No specific mention of those features, although they do state they have “User rights management”.

See https://www.tixeo.com/secure-video-conferencing/tour/security/

Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully When entering a meeting, invited participants only have minimal rights, including audio/video communication and viewing shared documents. The host has full rights in the meeting and can share documents (screen, application, files, etc.), grant presentation rights to another participant, or mute an attendee’s audio and video during conferences.

See https://www.tixeo.com/new-tixeo-feature-the-delegation-of-the-right-to-organise-a-videoconference/

Offers clear central control over all security settings Unclear We could not find relevant information on the product’s security management features.
Allows for monitoring and maintenance of endpoint software versions Unclear Mobile apps will automatically update from the relevant app store. Nothing could be found regarding the deployment or management of other clients.
Provides compliance features like eDiscovery & Legal Hold No Nothing to suggest that these features were available could be found.
Auditing and Reporting Unclear No documentation could be found outlining the auditing and reporting capabilities.
Additional content security controls like DLP, watermarking, etc. No There is no mention of these features being available in the product.
Vulnerability Management
Percentage of NVD 2019 0.0
Percentage of NVD 2020 0.0
Vendor discloses which vulnerabilities have been addressed No There are no vulnerabilities recorded for Tixeo in the NIST National Vulnerability Database. There are also no mentions of vulnerabilities on their own website other than a vague reference to the “Heartbleed” vulnerability in 2014.
Vendor runs a bug bounty No There is no indication that a bug bounty program exists for Tixeo.

 

Encryption

Tixeo claims all communications are end-to-end encrypted using AES 256, as are communications between the client and the server over HTTPS. Tixeo uses a proprietary Scalable Video Coding on Demand technology, allowing them to provide a ‘real’ E2EE service.[1]. It’s not clear how recordings of meetings are stored.

A full on-premise version is available and Tixeo claims French ANSSI ‘CSPN’ certification, which validates the claim that data isn’t decrypted on the server (but not that it can’t be).

Authentication

Users require a specific account and password which need to be provisioned beforehand.

User passwords in the database are stored as salted hashes.

When a user is invited for the first time, he receives an account validation email. By clicking on this link, he validates his identity, confirms his first and last name, and chooses a personal password.

It is possible to interconnect the solution to the LDAP directory or the company’s Active Directory, in a read-only mode. This integration avoids the need to create a specific account to connect to Tixeo but, according to the information available from the vendor, it is not an SSO solution. It allows users to log in with their corporate account. Access to meetings is only granted to invited members (within the company or external) and participants must enter their email address and password in order to access the meeting.

Jurisdiction and Regulation

Tixeo’s business and technology are certified by the National Cybersecurity Agency of France: TixeoServer is thus “CSPN” certified (First Level Security Certification)[2], which assures the security of the solution. Testing appears to have been conducted on an on-premise installation, thus does not offer identical ‘guarantees’ for the cloud services.[3].

This could represent a valuable level of assurance for French and European users but may not be as valuable for clients elsewhere.

Security Features and Management

Our approach for this blog series is based on running the application ourselves or referencing publicly available information. In the case of Tixeo we were unfortunately not able to deploy the application ourselves and could not find relevant information on the product’s security management features from which to derive a view of this aspect of the product’s security.

Vulnerability and Exploit History

There are no vulnerabilities recorded for this technology in the NIST National Vulnerability Database. A 2014 comment on the company’s blog regarding the “Heartbleed” vulnerability was confident of their security, but in our opinion lacked the technical detail required to garner trust. [4].

It’s therefore difficult to comment objectively on the technical security of the technology, but the ANSII CSPN report concluded that there were no exploitable vulnerabilities in the product at the time of testing[5]. The confidence of the French regulators may serve to reassure most customers.

BigBlueButton

BigBlueButton is a videoconferencing solution originally developed for remote learning. It allows users to make calls, share screens, images and presentations, and provides collaborative tools such as a whiteboard, chat systems and the sharing of PDF or Microsoft documents. The platform is free of charge and published under a general limited license known as GNU.

Features

Installation of the BigBlueButton server is only possible under the Ubuntu Linux distribution, although it can be run as a virtual machine under Windows. We found that the installation was not entirely easy as it required a dedicated server and the opening of numerous communication ports as well as the assignment of a domain name and the generation of an SSL certificate.

We found it to be a very complete solution, meeting diverse needs and use-cases. It allows for a high level of technical control and as an open source platform is fully customizable.

Users should note, however, that the solution requires a dedicated server and that there are significant installation, security, maintenance and security management overheads.

Results table

Encryption
Uses an appropriate encryption algorithm Fully HTTPS, Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP)

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

The connection between the client and BigBlueButton server is over an HTTPS connection and therefore encrypted, provided this option is selected and the SSL certificate is correctly configured. Audio and video in the browser are WebRTC and secured by Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP).

Uses a strong encryption key Fully WebRTC sends real-time audio and video over SRTP (Secure RTP). TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256 curve are the mandatory to implement scheme.

See https://bloggeek.me/is-webrtc-safe/

Data is encrypted in transit under normal use Fully
Data stays encrypted on provider servers No BigBlueButton does not offer E2EE, only individual connections to the server are encrypted.

See https://groups.google.com/forum/#!searchin/bigbluebutton-setup/encryption|sort:date/bigbluebutton-setup/UJLuSmS4y9U/z4a3Rwh6BQAJ

Voice, Video and Text are all encrypted Fully
File transfers & session recordings are encrypted Partially File transfers will be encrypted by virtue of the WebRTC connection. Stored recordings are not encrypted by the application.
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) N/A BigBlueButton is an open source self-hosted solution.
Encryption implementation has withstood scrutiny over time Fully
Authentication
Administrators can define password security policies No Could not see any configuration items for defining password policies.
Supports MFA as default No No native MFA available, needs third party IdP to provide it.
Can integrate with Active Directory or similar Fully See https://docs.bigbluebutton.org/greenlight/gl-config.html#user-authentication
Can integrate with SSO solutions via SAML or similar Fully Can be configured to integrate with Google OAuth2, Office 365 Oauth2 or LDAP.
Offers RBAC Fully See https://docs.bigbluebutton.org/greenlight/gl-admin.html#user-roles
Allows passwords to be set for meetings Fully A meeting access code can be generated.

See https://docs.bigbluebutton.org/greenlight/gl-overview.html#room-settings

Allows meeting password security policies to be set No
Jurisdiction
Headquarters address N/A Since BigBlueButton is an open source and free solution, the applicable laws depend on the laws of the country that decided to implement the solution.
The vendor cannot technically access any data without the client’s consent N/A There is no vendor as this is likely to be a self-hosted solution.
A full on-prem version is available for users who don’t want to trust the vendor Fully BigBlueButton is primarily designed to be an on-prem solution.
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in N/A
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) No
Complies with appropriate privacy standards (e.g. FERPA or GDPR). Partially BigBlueButton natively provides some tools to help businesses comply with GDPR regulation, like the right to be forgotten. For example, the software allows administrators to retrieve or delete the personal information for a specific user to comply with right-of-access and right-of-erasure requirements.
Provides a transparency report that details information related to requests for data, records, or content. N/A
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Fully See https://docs.bigbluebutton.org/greenlight/gl-overview.html#room-settings
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully See http://docs.bigbluebutton.org/client-configuration.html
Offers clear central control over all security settings Fully See https://docs.bigbluebutton.org/greenlight/gl-admin.html
Allows for monitoring and maintenance of endpoint software versions No BigBlueButton runs as a HTML5 client in a browser.
Provides compliance features like eDiscovery & Legal Hold No Couldn’t find any reference to these features
Auditing and Reporting No There doesn’t seem to be anything natively for these features.
Additional content security controls like DLP, watermarking, etc. No Couldn’t find reference to these features natively, may be possible with third party addon.
Vulnerability Management
Percentage of NVD 2019 0.00
Percentage of NVD 2020 0.04
Vendor discloses which vulnerabilities have been addressed Fully There are two vulnerabilities recorded for BigBlueButton in the NIST National Vulnerability Database in the period since the start of 2019, one of which would be considered serious. There have also been vulnerabilities recorded in prior years.
Vendor runs a bug bounty No As BigBlueButton is open source there is no vendor as such, any issues would be reported and resolved by the community involved with it.

 

Encryption

Webex Meeting offers two security modes. By default, communications are encrypted between the server and the clients (hop-by-hop). Cleartext data therefore traverses the server. It is also possible to enable end-to-end encryption when using the thick client. In this model traffic cannot be deciphered by the Cisco Webex server. This restricts certain features, however, such as screen sharing or file sharing.

Cisco also encrypts stored Network Based Recordings. During the playback and download flow, the encrypted recording file is then decrypted before or during the operation. Cisco maintains these keys for the customer.

Authentication

Webex Meetings supports SSO with integration into the customer’s identity management technology (for example, Microsoft Active Directory Federation Services, PingFederate, CA Siteminder Single Sign-On, OpenAM, or Oracle Access Manager) using the Security Assertion Markup Language (SAML) 2.0.

We could not find evidence that Webex Meetings offers any form of Multi Factor Authentication (MFA) natively, but many of the SSO solutions support via SAML (for example Duo or Okta) would provide that capability.

Jurisdiction & Regulation

Cisco claims ISO 9001, ISO 27001, and ISO 27018, SOC 2, Privacy Shield Framework and EU model clauses compliance for Webex Meetings. Webex Teams and Webex Meetings have also formally received attestation against the BSI Cloud Computing Compliance Controls Catalogue (BSI C5).

However, Webex is SaaS solution delivered by Cisco, which falls under the jurisdiction of the United States government. Theoretically this means that the company could be compelled to provide data or access to the government in compliance with US laws, which might be a concern for businesses from other countries.

Of all the vendors considered here, Cisco Webex Meetings was the one that explicitly advertised ‘data residency’ options, giving customers the choice over where their stored data resides, although Zoom also appears to have a similar option in its settings.

Security Features and Management

Webex Meetings allows users to generate a unique password for every meeting. Administrators define the complexity of the password in order to comply with organizational password policies.

Webex supports role-based access, which defines the privileges of meeting attendees. This configuration also allows hosts to restrict application or desktop sharing as necessary.

Vulnerability & Exploit History

The NIST National Vulnerability Database records 35 vulnerabilities for Cisco Webex components (excluding Teams) since the beginning of 2019, several of which were categorized as serious:

 

Year Reported NVD Total Percentage
2019 26 17,308 0.15%
2020 9 7,519 0.14%

Encryption

The connection between the client and BigBlueButton server is over an HTTPS connection and therefore encrypted, provided this option is selected and the SSL certificate is correctly configured. Audio and video in the browser are WebRTC and secured by Datagram Transport Layer Security (DTLS[6]) and Secure Real-time Transport Protocol (SRTP[7]).

WebRTC sends real-time audio and video over SRTP (Secure RTP). TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256 curve are the mandatory to implement scheme[8].

In other words, communications are not end-to-end encrypted, but only between the clients and the server.

Authentication

By default, users choose their own password, but administrators can also generate a random password for any user and resend a link to change it.

The solution, if required, can generate an access code that users must enter before they can join a room. This access code can be randomly generated by the solution. Moreover, when creating a meeting room, the configuration allows to prompt a moderator of a meeting when a user tries to join. If the user is approved, they will be able to join the meeting.

It’s also possible to choose different ways to authenticate users with BigBlueButton, from the username & password authentication to an external authentication (with Google OAuth2, Office 365 Oauth2 or LDAP). Choosing an OAuth authentication system allows Multi-Factor Authentication (MFA), which is not possible by default. Developers recommend using OAuth2 solutions for high-privilege users[9].

Jurisdiction & Regulation

In the open source world, it’s the respect of the license that matters. The solution is published under the GNU Lesser General Public License. Since BigBlueButton is an Open Source and Free solution, the applicable laws depend on the laws of the country in which the solution is implemented.

Given that open source solutions are generally self-hosted, the jurisdiction that will apply will mostly depend on the hosting solution localization: we recommend, for example, that you host your BigBlueButton instance in Europe, if your users are European. This allows you, at least partially, to comply with European regulations like GDPR. By contrast however, if your users were Russian, hosting a BigBlueSolution outside of Russia could be risky as the Russian Federal Law imposes very strict control of its citizen’s personal data.

BigBlueButton natively provides some tools to help businesses comply with GDPR regulation, like the right to be forgotten36. The software allows administrators to retrieve or delete the personal information for a specific user to comply with right-of-access and right-of-erasure requirements.  To fulfil other compliance requirements (e.g. HDS and HIPAA) additional, complementary open source packages may need to be installed and configured.

Security Features and Management

With BigBlueButton, the meeting creator can allow users to join the meeting as moderators and allow any person to create a session in the meeting room. Users can choose whether to activate their microphone when they enter a meeting session. BigBlueButton always asks for permission to use the microphone, camera or screen sharing, via the browser.

One advantage with Open Source options like Jitsi and BigBlueButton is that they are open source software, meaning it is theoretically possible to audit the source code of the application and to validate it, or even potentially to make changes to it.

Vulnerability & Exploit History

There are two vulnerabilities recorded for BigBlueButton in the NIST National Vulnerability Database in the period since the start of 2019, one of which would be considered serious. There have also been vulnerabilities recorded in prior years.

Year Reported NVD Total Percentage
2020 3 7,913 0.04%

 


1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet


Sources

[1] https://www.tixeo.com/wp-content/uploads/2017/10/schema_archi_chiffrement-tixeo_EN.pdf
[2] https://www.tixeo.com/tixeo-is-the-first-video-conferencing-solution-certified-and-qualified-by-anssi/
[3] https://www.ssi.gouv.fr/administration/certification_cspn/tixeoserver-version-11-5-2-0/ (in French)
[4] https://www.tixeo.com/afraid-of-the-heartbleed-threat-your-information-is-safe/
[5] https://www.ssi.gouv.fr/uploads/2017/03/anssi-cspn-2017_08fr.pdf
[6] https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security
[7] https://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol
[8] https://bloggeek.me/is-webrtc-safe/
[9] https://github.com/bigbluebutton/greenlight/issues/1197


Authors

Head of Security Research

Charl van der Walt

Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.

Senior Consultant Cybersecurity

Quentin Aguesse

Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialised in risk assessment , disaster recovery planning, as well as cybersecurity awareness.

Consultant Cybersecurity

Jérôme Mauvais

As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along his career for his great capacities of knowledge transmission.

Lead Security Researcher (MSIS Labs)

Carl Morris

Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.


Share