Like many of you, I’ve spent several weeks locked up “working” from home, which I’m putting in quotes because it does feel quite a bit different. One of my favorite helpers is Zoom meetings, because it’s so easy to use. But apparently it’s not so secure when it comes to holding confidential meetings and conversations. I’ve researched a few alternatives, and in this post I show you how you can combine them with my own PassLok in order to achieve a moderately secure connection. I actually started writing this before updating PassLok Chat to version 2 (this is the real-time conferencing solution built into PassLok and compatible apps), so I had no particular interest in promoting one method over another, including PassLok’s built-in conferencing.
As you likely know, PassLok already has a secure chat feature built into it. It works with text, files, audio, and also video. It is based on WebRTC, so connections are direct between participants, who supply a 256-bit password sent with the encrypted chat invitation in order to connect. But I do grant you that it is not pretty and looks clunky. Direct connections between peers also create connection headaches that most folks rather do without. I have written this other post about the new PassLok Chat 2.0, so in this post I’ll focus on ways to use PassLok to secure chats from other services.
I’ve taken a look at current offerings out there, specifically looking for ways that they can be given an extra layer of security through PassLok. The general process looks like this:
- Go to the video conferencing app or website, and start or schedule a meeting. Often this will require some sort of registration, other times it won’t be necessary, which is better for our purposes. All the services discussed here offer free accounts. Registration typically involves replying to an email.
- The app or website will then generate a meeting ID, or a link to be sent by email or texting. Some also allow adding a password. In some you can generate an invitation for a meeting in the future, and in some the meeting must have started already. The meeting ID tends to be rather short, which doesn’t give a lot of security by itself (think “zoombombing”) or, worse still, is always the same and linked to your account.
- Here’s where PassLok comes in. You use PassLok to encrypt the link, plus the password if any, and then you can send it to your friends by email or whatever other method.
- Your friends decrypt the invitation, revealing the link, and then join the video meeting normally. If a password is needed, they can get it from your decrypted message.
The reason why you want to use PassLok is to keep anyone who intercepts your message from getting the meeting ID (and the password, which you should never send with the meeting ID in plaintext). Getting the ID will allow any interloper to connect to your meeting, which is bad enough, even if the connection cannot be completed for lack of password. The host of the call will be able to listen in, but I guess there’s nothing you can do about it with these centralized services, which require implicit trust in their servers and whatever they do in there.
So, to keep anyone other than the administrators of the service from listening in, you encrypt the invitation with PassLok before you send it, and that’s it. I will now describe several services, and my (mostly limited) experience with each of them.
The market leader, hands down. I love the service, put they attach the (alphanumeric) password to the (short numeric) meeting link, which makes no sense security-wise even though the password only gets used at client level so the server never sees it. You must encrypt it before you send it out, if you want to have any security against interlopers other than Zoom itself. And beware!, Zoom has decided that meetings made with free accounts will NOT be encrypted, ostensibly so that law enforcement can listen to your conversations if they need it.
You can do an immediate conference, or schedule it as in Zoom. Participants need a short numeric code and that’s it. No password. And you must make an account with them. This one you also must encrypt if you want any security.
Their “go” offering works directly from the browser, and no registration is required, which is awesome for anonymity. Although, I should say they’ve been spamming me quite heavily since I tested them. As usual with these apps, all security depends on a third party being able to guess your chatroom link, which is this case is composed of letters, numbers, and special characters. Might give decent security if you send the link encrypted. They also offer accounts, and in this case the connection is via an app connected to the browser, like Zoom.
Jitsi does not require registration even for the originator of the conference, which is great. I couldn’t find a way to schedule a call ahead of time, but they do allow the use of a password, which is entirely separate of the join-in link. I’m not sure whether they can listen if they want, but that’s the problem with every hosted video conferencing app. Because the code is open-source, though, you can set up your own server if you feel so inclined. They say they use WebRTC technology, which implies direct connections between participants, which is reassuring from the security viewpoint but may limit the number of participants.
This is the same as Jitsi, but commercial. They offer paid accounts with extra features. Heck, they offer free accounts with extra features, but then you’re making an account with them.
This one is all about setting up your own server, which is the best security. Don’t even try the service they host as a demo: it’s all about sex online, and you cannot set up your own room.
They offer a chat service as part of their general “cloud” service. All users need to be registered with them, though, which smacks of Big Brother. A number of providers offer generous free space, though.
The granddaddy of them all. Hasn’t aged well and requires a special app and a previous exchange of contact info between registered users. No way to generate a link for anonymous guests. No way to encrypt the invitation, because there’s none. They are owned by Microsoft. Avoid it if you care about security.
The usability champion, no question about it. Unfortunately, it only works between registered users à la Skype (I guess it’s beginning to show its age), so no way to encrypt a link. They do swear, if you want to believe them, that the actual communication is encrypted end to end (they are owned by FaceBook). Supported only four people on a video chat until April 2020, eight people after that date.
Another instant service that does not require an account. They do get your email when you send the link (no way to send it using your own email, which is kind of sneaky), which makes me I suspect they’ll be spamming you forever. I stopped before sending out my first link, so I don’t know what the participant limit is, but they recommend no more than five participants. They offer permanent links to registered users, which I think is a real bad idea.
To summarize, I liked Jitsi and 8×8 more than the others, and this is why I incorporated Jitsi into PassLok Chat 2. In this case, you don’t have to worry about creating a meeting ID and password. PassLok does it all automatically. Since Jitsi does not support file exchange, you can always get this by setting up a parallel meeting using the direct video service built into PassLok Chat, which does support file exchange.