The recent shift of most office environments to a completely online platform has resulted in a substantial increase in the use of the conferencing platform Zoom, However, this increased use has also resulted in increased scrutiny which has revealed some of Zoom’s shortcomings. A major issue in security has recently come to light resulting in bans from school districts, SpaceX and the FBI.
Stream security is not as tight as it should be resulting in people easily hacking into stream URLs and disrupting meetings. Some disruptions are mostly playful interruptions from bored teenagers, but some are much more insidious, posting disturbing hate speech, and graphic content in the comments.
Despite releasing fixes, and guides to configure extra security, that may not be enough to overcome the Zoom security issues.
"Things you just would like to have in a chat and video application — strong encryption, strong privacy controls, strong security — just seem to be completely missing," said Patrick Wardle, a security researcher who previously worked at the National Security Agency. [source]
In addition to URL access, there is also the concern of what can happen to your data. As a hosted solution, Zoom has access to all of your data and can do with it what they want. They can sell it to other companies. In fact, they have sold it to Facebook resulting in a class-action lawsuit.
Considering these major security issues, what can be done to address better security in your streaming platform? This post outlines how Red5 Pro can enable you to build your own secure conferencing platform.
Host Your Own Solution
By hosting a solution on your own servers you don’t have to worry about your data. You own it so you can retain control over what you do with it. Furthermore, as Red5 Pro is hosting agnostic you can use a variety of hosting platforms, Google, AWS, Azure, Digital Ocean, your own servers or other hosting providers.
If a company is hosting your application, you will never have full control over it and will always be subject to another companies’ policies.
Of course, that’s not to say that every company that hosts your solution will always sell your data to the highest bidder. That is to say, most companies are trustworthy… until they are shown not to be.
This leads us to our second point…
Encryption is usually the first thing people think about when it comes to security. Encryption is the process by which information is encoded into a format that makes it unrecognizable until it is decoded with a key. In this way, information can be securely sent over the open internet from a client to a server. Once it reaches the server it must be decrypted in order to be rerouted to other pipelines so it can eventually be read and understood.
Zoom’s marketing states that they use end-to-end encryption. However, an investigation by The Intercept_ revealed that Zoom only uses transport encryption which is different from true end-to-end encryption in that transport encryption theoretically secures the data from outside your network but does not hide your data from the company itself.
Since Zoom is decrypting your streams on their servers, that means that encrypted data is, at some point, stored on their servers. This gives Zoom access to your decrypted (and fully readable) data.
As stated earlier, this is where hosting the solution on your own server ensures total control of your data. Red5 Pro can be set up to behave similarly to Zoom acting as an SFU media server to send the content to many other viewers. Red5 Pro can decrypt an incoming stream, hand it off to other nodes in the cluster and then re-encrypt the video before delivering it to another endpoint.
However, there is a major difference in the fact that Red5 Pro never touches your data. It sits safe and undisturbed on your own servers. Furthermore, Red5 Pro uses WebRTC to deliver live streams. WebRTC was built around encrypted streams using DTLS and SRTP. A more detailed explanation of DTLS/SRTP can be found in this post.
You can also set up Red5 Pro with true end to end encryption by not configuring a Red5 Pro server instance to act as an SFU media server.
Round Trip Authentication
The last major security issue is that Zoom has open URLs working with its access, which means that anyone with the link can access them. In order to prevent this, you can create your own application using Red5 Pro’s round trip authentication system. Round trip authentication enables stream authentication before gaining access to the streams. How access is given to users can be fully customized using this methodology.
Build A Secure App With Red5 Pro
As this post (and many others) has revealed, there are some major Zoom security issues. Those seeking more security in their conferencing application can build their own starting with the Red5 Pro conferencing example. You can then add extra security through the use of self-hosting, encryption, and round trip authentication. The only way to truly gain full security is to build a fully customized application where you control everything including who can access your streams and data.