27 April 2020
This is the fifth post in a six-part series of blogs examining the security of various Video Conferencing products for business. In this post we examine Tixeo and BigBlueButton.
Other posts include:
To read about our approach to this analysis, understand the target security model we applied or see a side-by-side comparison of the products reviewed please visit our first post from this series.
If you’re interested in the detail on Tixeo or BigBlueButton, please read on.
Based in Montpellier, France, Tixeo offers a set of secure teleconferencing solutions. The company has several references and has made security of communications a priority. Tixeo allows you to organize video conferences, share your screen and give remote control.
Tixeo’s solution is commercial only and offers three operating modes:
The company also offers a supply of equipment (cameras, screens, etc.) for videoconferencing.
The solution is available on the most user platforms (Android, iOS, Windows, MacOS and GNU / Linux). Users require a specific account and password which need to be provisioned beforehand.
Tixeo requires the installation of a ‘thick’ client by the user, and the Tixeo server version requires the installation of a server-side application, along with the required server and network configuration.
The solution does not allow for access to the conference via the telephone network.
Tixeo may not necessarily be suitable for small organizations or ad hoc needs due to its business model.
Encryption | ||
Uses an appropriate encryption algorithm | Fully | AES 256 |
Uses a strong encryption key | Fully | AES 256 |
Data is encrypted in transit under normal use | Fully | https://www.tixeo.com/wp-content/uploads/2017/10/schema_archi_chiffrement-tixeo_EN.pdf |
Data stays encrypted on provider servers | Fully | Tixeo advertises, even in multipoint meetings, a ‘real’ end-to-end encryption (from client to client) of audio, video & data streams while passing through a server. This claim is validated under their ANSSI CSPN certification for the on-premise deployment of the product. See https://www.tixeo.com/wp-content/uploads/2017/10/schema_archi_chiffrement-tixeo_EN.pdf and https://www.ssi.gouv.fr/uploads/2017/03/anssi-cspn-2017_08fr.pdf |
Voice, Video and Text are all encrypted | Fully | See https://www.tixeo.com/wp-content/uploads/2017/10/schema_archi_chiffrement-tixeo_EN.pdf |
File transfers & session recordings are encrypted | Partially | File transfers are encrypted end to end. We could not find any details about the storage of meeting recordings, especially when used for streaming on the cloud. |
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) | Partially | Tixeo advertises ‘true’ end-to-end encryption for multipoint video conferencing but without providing detail on how that is achieved or how keys are managed. A cloud-streaming feature suggests a mechanism whereby recordings are streamed in the clear.
However, a full on-premise version is available and claims French ANSSI ‘CSPN’ certification. See https://www.ssi.gouv.fr/administration/produits-certifies/cspn/ |
Encryption implementation has withstood scrutiny over time | Fully | Also claims French ANSSI ‘CSPN’ certification. See https://www.ssi.gouv.fr/administration/produits-certifies/cspn/ |
Authentication | ||
Administrators can define password security policies | Unclear | Users have to have an account to use the service and only invited participants are able to join a meeting. We could not find any reference to password settings, however. |
Supports MFA as default | Unclear | Could find no reference to MFA. |
Can integrate with Active Directory or similar | Fully | It is possible to interconnect the solution to an LDAP directory or the company’s Active Directory in a read-only mode. This integration avoids the need to create a specific account to connect to Tixeo but, according to the information available, it is not an SSO solution. It allows users to log in with their corporate account. Access to meetings is only granted to invited members (within the company or external) and participants must enter their email address and password in order to access the meeting |
Can integrate with SSO solutions via SAML or similar | Unclear | Could not find any reference to SSO support. |
Offers RBAC | Unclear | No reference to RBAC could be found. |
Allows passwords to be set for meetings | No | Users have to have an account to use the service and only invited participants are able to join a meeting. |
Allows meeting password security policies to be set | No | |
Jurisdiction | ||
Headquarters address | France | Montpellier FRANCE |
The vendor cannot technically access any data without the client’s consent | Partially | Tixeo advertises ‘true’ end-to-end encryption. It’s not clear how recordings of meetings are stored. |
A full on-prem version is available for users who don’t want to trust the vendor | Fully | A full on-premise version is available and Tixeo claims French ANSSI ‘CSPN’ certification. See https://www.ssi.gouv.fr/administration/produits-certifies/cspn/ |
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in | Unclear | It is not mentioned that this feature is available as part of the service. However, Tixeo’s Smart Meeting Grid technology allows the customer to set up its communication servers network in the regions of its choice. |
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) | Fully | Tixeo’s technology is certified (CSPN) and qualified (Elementary qualification) by the National Cybersecurity Agency of France (ANSSI). |
Complies with appropriate privacy standards (e.g. FERPA or GDPR). | Fully | Tixeo’s privacy policy states that they fully comply with GDPR regulations.
See https://www.tixeo.com/visioconference-securisee/privacy/ |
Provides a transparency report that details information related to requests for data, records, or content. | No | No mention of a transparency report could be found.
Their privacy policy does state that “in certain cases, we may transmit your personal data to third parties. These cases may be: “a requisition required by law, a court order or a decision made by a competent public authority and for the purpose of maintaining order.” |
Security Management | ||
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. | Unclear | No specific mention of those features, although they do state they have “User rights management”.
|
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. | Fully | When entering a meeting, invited participants only have minimal rights, including audio/video communication and viewing shared documents. The host has full rights in the meeting and can share documents (screen, application, files, etc.), grant presentation rights to another participant, or mute an attendee’s audio and video during conferences.
See https://www.tixeo.com/new-tixeo-feature-the-delegation-of-the-right-to-organise-a-videoconference/ |
Offers clear central control over all security settings | Unclear | We could not find relevant information on the product’s security management features. |
Allows for monitoring and maintenance of endpoint software versions | Unclear | Mobile apps will automatically update from the relevant app store. Nothing could be found regarding the deployment or management of other clients. |
Provides compliance features like eDiscovery & Legal Hold | No | Nothing to suggest that these features were available could be found. |
Auditing and Reporting | Unclear | No documentation could be found outlining the auditing and reporting capabilities. |
Additional content security controls like DLP, watermarking, etc. | No | There is no mention of these features being available in the product. |
Vulnerability Management | ||
Percentage of NVD 2019 | 0.0 | |
Percentage of NVD 2020 | 0.0 | |
Vendor discloses which vulnerabilities have been addressed | No | There are no vulnerabilities recorded for Tixeo in the NIST National Vulnerability Database. There are also no mentions of vulnerabilities on their own website other than a vague reference to the “Heartbleed” vulnerability in 2014. |
Vendor runs a bug bounty | No | There is no indication that a bug bounty program exists for Tixeo. |
Tixeo claims all communications are end-to-end encrypted using AES 256, as are communications between the client and the server over HTTPS. Tixeo uses a proprietary Scalable Video Coding on Demand technology, allowing them to provide a ‘real’ E2EE service.[1]. It’s not clear how recordings of meetings are stored.
A full on-premise version is available and Tixeo claims French ANSSI ‘CSPN’ certification, which validates the claim that data isn’t decrypted on the server (but not that it can’t be).
Users require a specific account and password which need to be provisioned beforehand.
User passwords in the database are stored as salted hashes.
When a user is invited for the first time, he receives an account validation email. By clicking on this link, he validates his identity, confirms his first and last name, and chooses a personal password.
It is possible to interconnect the solution to the LDAP directory or the company’s Active Directory, in a read-only mode. This integration avoids the need to create a specific account to connect to Tixeo but, according to the information available from the vendor, it is not an SSO solution. It allows users to log in with their corporate account. Access to meetings is only granted to invited members (within the company or external) and participants must enter their email address and password in order to access the meeting.
Tixeo’s business and technology are certified by the National Cybersecurity Agency of France: TixeoServer is thus “CSPN” certified (First Level Security Certification)[2], which assures the security of the solution. Testing appears to have been conducted on an on-premise installation, thus does not offer identical ‘guarantees’ for the cloud services.[3].
This could represent a valuable level of assurance for French and European users but may not be as valuable for clients elsewhere.
Our approach for this blog series is based on running the application ourselves or referencing publicly available information. In the case of Tixeo we were unfortunately not able to deploy the application ourselves and could not find relevant information on the product’s security management features from which to derive a view of this aspect of the product’s security.
There are no vulnerabilities recorded for this technology in the NIST National Vulnerability Database. A 2014 comment on the company’s blog regarding the “Heartbleed” vulnerability was confident of their security, but in our opinion lacked the technical detail required to garner trust. [4].
It’s therefore difficult to comment objectively on the technical security of the technology, but the ANSII CSPN report concluded that there were no exploitable vulnerabilities in the product at the time of testing[5]. The confidence of the French regulators may serve to reassure most customers.
BigBlueButton is a videoconferencing solution originally developed for remote learning. It allows users to make calls, share screens, images and presentations, and provides collaborative tools such as a whiteboard, chat systems and the sharing of PDF or Microsoft documents. The platform is free of charge and published under a general limited license known as GNU.
Installation of the BigBlueButton server is only possible under the Ubuntu Linux distribution, although it can be run as a virtual machine under Windows. We found that the installation was not entirely easy as it required a dedicated server and the opening of numerous communication ports as well as the assignment of a domain name and the generation of an SSL certificate.
We found it to be a very complete solution, meeting diverse needs and use-cases. It allows for a high level of technical control and as an open source platform is fully customizable.
Users should note, however, that the solution requires a dedicated server and that there are significant installation, security, maintenance and security management overheads.
Encryption | ||
Uses an appropriate encryption algorithm | Fully | HTTPS, Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 The connection between the client and BigBlueButton server is over an HTTPS connection and therefore encrypted, provided this option is selected and the SSL certificate is correctly configured. Audio and video in the browser are WebRTC and secured by Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). |
Uses a strong encryption key | Fully | WebRTC sends real-time audio and video over SRTP (Secure RTP). TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256 curve are the mandatory to implement scheme.
|
Data is encrypted in transit under normal use | Fully | |
Data stays encrypted on provider servers | No | BigBlueButton does not offer E2EE, only individual connections to the server are encrypted.
|
Voice, Video and Text are all encrypted | Fully | See https://www.tixeo.com/en/ |
File transfers & session recordings are encrypted | Partially | File transfers will be encrypted by virtue of the WebRTC connection. Stored recordings are not encrypted by the application. |
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) | N/A | BigBlueButton is an open source self-hosted solution. |
Encryption implementation has withstood scrutiny over time | Fully | |
Authentication | ||
Administrators can define password security policies | No | Could not see any configuration items for defining password policies. |
Supports MFA as default | No | No native MFA available, needs third party IdP to provide it. |
Can integrate with Active Directory or similar | Fully | - |
Can integrate with SSO solutions via SAML or similar | Fully | Can be configured to integrate with Google OAuth2, Office 365 Oauth2 or LDAP. |
Offers RBAC | Fully | - |
Allows passwords to be set for meetings | Fully | A meeting access code can be generated.
- |
Allows meeting password security policies to be set | No | |
Jurisdiction | ||
Headquarters address | N/A | Since BigBlueButton is an open source and free solution, the applicable laws depend on the laws of the country that decided to implement the solution. |
The vendor cannot technically access any data without the client’s consent | N/A | There is no vendor as this is likely to be a self-hosted solution. |
A full on-prem version is available for users who don’t want to trust the vendor | Fully | BigBlueButton is primarily designed to be an on-prem solution. |
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in | N/A | |
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) | No | |
Complies with appropriate privacy standards (e.g. FERPA or GDPR). | Partially | BigBlueButton natively provides some tools to help businesses comply with GDPR regulation, like the right to be forgotten. For example, the software allows administrators to retrieve or delete the personal information for a specific user to comply with right-of-access and right-of-erasure requirements. |
Provides a transparency report that details information related to requests for data, records, or content. | N/A | |
Security Management | ||
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. | Fully | - |
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. | Fully | See BigBlueButton : Accessibility |
Offers clear central control over all security settings | Fully | - |
Allows for monitoring and maintenance of endpoint software versions | No | BigBlueButton runs as a HTML5 client in a browser. |
Provides compliance features like eDiscovery & Legal Hold | No | Couldn’t find any reference to these features |
Auditing and Reporting | No | There doesn’t seem to be anything natively for these features. |
Additional content security controls like DLP, watermarking, etc. | No | Couldn’t find reference to these features natively, may be possible with third party addon. |
Vulnerability Management | ||
Percentage of NVD 2019 | 0.00 | |
Percentage of NVD 2020 | 0.04 | |
Vendor discloses which vulnerabilities have been addressed | Fully | There are two vulnerabilities recorded for BigBlueButton in the NIST National Vulnerability Database in the period since the start of 2019, one of which would be considered serious. There have also been vulnerabilities recorded in prior years. |
Vendor runs a bug bounty | No | As BigBlueButton is open source there is no vendor as such, any issues would be reported and resolved by the community involved with it. |
The connection between the client and BigBlueButton server is over an HTTPS connection and therefore encrypted, provided this option is selected and the SSL certificate is correctly configured. Audio and video in the browser are WebRTC and secured by Datagram Transport Layer Security (DTLS[6]) and Secure Real-time Transport Protocol (SRTP[7]).
WebRTC sends real-time audio and video over SRTP (Secure RTP). TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256 curve are the mandatory to implement scheme[8].
In other words, communications are not end-to-end encrypted, but only between the clients and the server.
By default, users choose their own password, but administrators can also generate a random password for any user and resend a link to change it.
The solution, if required, can generate an access code that users must enter before they can join a room. This access code can be randomly generated by the solution. Moreover, when creating a meeting room, the configuration allows to prompt a moderator of a meeting when a user tries to join. If the user is approved, they will be able to join the meeting.
It’s also possible to choose different ways to authenticate users with BigBlueButton, from the username & password authentication to an external authentication (with Google OAuth2, Office 365 Oauth2 or LDAP). Choosing an OAuth authentication system allows Multi-Factor Authentication (MFA), which is not possible by default. Developers recommend using OAuth2 solutions for high-privilege users[9].
In the open source world, it’s the respect of the license that matters. The solution is published under the GNU Lesser General Public License. Since BigBlueButton is an Open Source and Free solution, the applicable laws depend on the laws of the country in which the solution is implemented.
Given that open source solutions are generally self-hosted, the jurisdiction that will apply will mostly depend on the hosting solution localization: we recommend, for example, that you host your BigBlueButton instance in Europe, if your users are European. This allows you, at least partially, to comply with European regulations like GDPR. By contrast however, if your users were Russian, hosting a BigBlueSolution outside of Russia could be risky as the Russian Federal Law imposes very strict control of its citizen’s personal data.
BigBlueButton natively provides some tools to help businesses comply with GDPR regulation, like the right to be forgotten36. The software allows administrators to retrieve or delete the personal information for a specific user to comply with right-of-access and right-of-erasure requirements. To fulfil other compliance requirements (e.g. HDS and HIPAA) additional, complementary open source packages may need to be installed and configured.
With BigBlueButton, the meeting creator can allow users to join the meeting as moderators and allow any person to create a session in the meeting room. Users can choose whether to activate their microphone when they enter a meeting session. BigBlueButton always asks for permission to use the microphone, camera or screen sharing, via the browser.
One advantage with Open Source options like Jitsi and BigBlueButton is that they are open source software, meaning it is theoretically possible to audit the source code of the application and to validate it, or even potentially to make changes to it.
There are two vulnerabilities recorded for BigBlueButton in the NIST National Vulnerability Database in the period since the start of 2019, one of which would be considered serious. There have also been vulnerabilities recorded in prior years.
Year | Reported | NVD Total | Percentage |
2020 | 3 | 7,913 | 0.04% |
1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet
Head of Security Research
Charl van der Walt
Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.
Senior Consultant Cybersecurity
Quentin Aguesse
Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialised in risk assessment , disaster recovery planning, as well as cybersecurity awareness.
Consultant Cybersecurity
Jérôme Mauvais
As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along his career for his great capacities of knowledge transmission.
Lead Security Researcher (MSIS Labs)
Carl Morris
Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.