8 video chat apps compared: Which is best for security?

Most aren't end-to-end encrypted. Some are. None are perfect. Here are your options.

video conferencing / remote work
Filadendron / Getty Images

Scandal engulfed popular videoconferencing software Zoom when its promise of providing end-to-end encryption (E2EE), turned out to be a lie. For years the Zoom client informed users that "Zoom is using an end-to-end encrypted connection." Zoom even lied to the SEC in 2019 in its pre-IPO filings, claiming to offer "end-to-end encryption" when they did not.

In early July, reverse engineering by researchers at Citizen Lab demonstrated substandard, non-E2EE encryption and keys sent to servers in China. And Zoom CEO Eric Yuan told the Wall Street Journal he "really messed up" and plans to do better.

The main difference between Zoom and its major competitors, Google Meet and Microsoft Teams, is that Zoom lied about offering E2EE, and Google and Microsoft don't even pretend to offer E2EE. Those in search of a true end-to-end encrypted videoconferencing solution will have to go further afield and make trade-offs in exchange for that greater level of security.

CSO took a high-level look at the security of Zoom, Google Meet, Microsoft Teams, Cisco's Webex Meetings, FaceTime, Signal, WhatsApp and Wire. Here's what we found.

Zoom

In the wake of Zoom's security scandal, organizations like New York City schools, Google and the US Senate have dumped the software. So, you should stop using Zoom because every alternative is pristine and 100% secure. Right...? Right...? Right...?

While the infosec torches-and-pitchforks mob is currently besieging Zoom and, it must be noted, exposing troubling security practices in the public interest, there are likely unpublished security issues with Zoom's competitors. Trusting another provider simply because it is not Zoom would not be logical. Regardless of which solution best meets your needs, caveat emptor.

Zoom is throwing money at the problem and hiring leading security experts to improve their offering. In fact, on October 14, the company announced an E2EE offering would be available as a technical preview for both free and paid users.

The E2EE feature comes with some limitations, at least for now. With E2EE enabled, you lose features such as cloud recording, streaming and live transcription. Zoom's roadmap includes new features including improved identity management and E2EE SSO integration for sometime next year.

Signal

If you need true E2EE for a one-to-one video call, then Signal wins hands down. Signal's best-of-breed encryption secures text, voice-mail style audio messages, audio calls and video calls.

The only downside? Signal doesn't offer group videoconferencing. At the time of this writing, group texting is the most Signal offers. Once you need a group videoconference of more than two people, we enter trade-off land. Signal's complete technical specifications, including encryption, are available here.

WhatsApp

Did you know WhatsApp offers videoconferencing for up to four people? We didn't. While not optimized for the enterprise, WhatsApp says it uses the same encryption protocol as Signal, and the app is free to download and use. Facebook has also invested a substantial amount of money building out available bandwidth for WhatsApp users, and it shows. Intercontinental videos can be crisp and clear. Full details of WhatsApp's advertised encryption is available here.

Wire

Like WhatsApp, only with a greater focus on the enterprise, Wire also offers videoconferencing for up to four people and audio conferencing for up to 20 people. Like Signal and WhatsApp, Wire's encryption is "always on," and there is no option to turn it off.

Wire uses an encryption protocol called Proteus, Alan Duric, COO, CTO and co-founder of Wire, tells CSO. "Proteus is an independent implementation of the Axolotl/Double Ratchet protocol, which is in turn derived from the Off-the-Record protocol, using a different ratchet. This type of protocol is optimized specifically for mobile and multi-device messaging."

Duric notes that scaling E2EE videoconferencing to more users is a hard technical problem all providers face, and that his team is working on "the next generation of E2E encrypted conference calls that will allow for bigger groups while offering the same user experience as non-encrypted solutions." Wire's advertised security design can be found here.

FaceTime

Need a video call with more than four people and everyone is on an Apple device? Apple's videoconferencing software offers end-to-end encrypted videoconferencing that supports up to 32 users at a time. The catch? It only works on Apple devices. If you want to invite someone using Windows or Linux or an Android device to join a group video call, they are out of luck.

According to Apple, "We designed iMessage and FaceTime to use end-to-end encryption, so there’s no way for Apple to decrypt the content of your conversations when they are in transit between devices." (Of course, there are weasel words there. Apply can decrypt anything you store in iCloud, so make sure to turn off those iCloud backups, folks.)

Sales folks, don't rejoice. FaceTime does not offer a slide share presentation mode. Read more about how FaceTime works and Apple's advertised approach to privacy. Apple doesn't publish details of the encryption FaceTime uses, but reverse-engineering efforts have uncovered security issues with Apple's deployment that could let a malicious Apple insider or a sophisticated attacker gain access to your communications.

Jitsi

Often overlooked by enterprises and consumers alike, Jitsi is a free/libre videoconferencing solution. Jitsi offers E2EE for one-to-one conversations, but not for group videoconferences, although we hear its engineering team is working on it.

Users can try out Jitsi on its publicly available server at meet.jit.si or with the Jitsi app, available for iOS and Android. Because Jitsi is a fully auditable and customizable free software solution, enterprise users can deploy their own Jitsi Videobridge server on-premises or even in the cloud. Jitsi uses WebRTC on the back end, which means group videoconferencing over Jitsi passes across the server in the clear.

For a free software project, Jitsi's security documentation is disappointingly scant. What information it publishes can be found here.

Microsoft Teams

On to the heavyweights. You want group collaboration at scale, you say. You don't care about end-to-end encryption at all, you say. Then Microsoft Teams might be what you're looking for.

Teams does not offer E2EE, and Microsoft is clearly touchy about the subject. When CSO asked Microsoft by email if it offered E2EE videoconferencing, its PR folks tried to distract us with a long red herring about transport-level encryption and encryption at rest on their services, and only admitted under questioning that Teams does not offer E2EE.

That's a red flag for us. Trying to spin the public on a critical security question like E2EE raises eyebrows. So, to emphasize, Microsoft Teams is a solid enterprise group videoconferencing option if you're OK with Microsoft and any other capable and motivated party having access to everything you do.

Cisco's Webex Meetings

CSO was pleasantly surprised to find that Cisco's videoconferencing offering, Webex Meetings, offers end-to-end encryption for videoconferences up to 100 people. The catch? It's turned off by default, and you have to make sure to turn it on.

"For businesses requiring a higher level of security," Webex documentation reads, "Cisco Webex also provides end-to-end encryption. With this option, the Cisco Webex cloud does not decrypt the media streams, as it does for normal communications. Instead it establishes a Transport Layer Security (TLS) channel for client-server communication. Additionally, all Cisco Webex clients generate key pairs and send the public key to the host’s client."

Webex users with a free account can call Webex customer support and ask for E2EE to be enabled, a Cisco representative tells CSO by email. Webex is clearly trying to compete on security with the bigger players. We're curious to see how that plays out.

So how does Cisco scale to 100 videoconferencing users? It uses a shared symmetric key for all users, instead of using pairwise keys, which means every user has a different symmetric key to communicate with every other user.

"The cost of using pairwise keys is a huge blowup of streams," cryptographer Matthew Green, a professor at Johns Hopkins University, tells CSO. "That won't scale well to big conferences at all." Nor does it necessarily mean decreased security, he says. "If I'm part of a chat with pairwise keys, now I just send N keys to the NSA." Pairwise keys, unlike shared keys, involve key exchange among all individual participants.

Google Meet

Google Meet is the closest alternative to Zoom's functionality, and with a similar lack of end-to-end encryption in its primary version. Google is very clear about it.

Despite Google employing some of the best developers and security engineers on the planet, the company has yet to roll out end-to-end encryption for its most popular products, including Mail, Docs, Drive and Meet. The only exception to this is Google Duo, the company's version of FaceTime for Android, which offers E2EE videoconferencing for up to 12 people.

Don’t forget about metadata

Metadata reveals who talks to whom, when and for how long. That is often more revealing than the content itself to a network-level passive observer. When selecting videoconferencing software, consider not only how to protect your communications with E2EE, but also how to mitigate the exposure of your metadata.

Guess what? There isn't any way to do this. Apart from defunct skunkworks projects like Herd, an attempt to create metadata-resistant encrypted audio calls (and not even video at that), there is currently no way to eliminate the risk of metadata leakage for encrypted audio and video calls.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations