Comments on: Security for Web Meetings? http://www.infosecpodcast.com/2008/06/security-for-web-meetings/ Information Security related news, opinions and ramblings Sun, 25 Jul 2010 08:44:08 -0600 hourly 1 http://wordpress.org/?v=3.0 By: John Kennedy http://www.infosecpodcast.com/2008/06/security-for-web-meetings/comment-page-1/#comment-28004 John Kennedy Mon, 14 Jul 2008 21:44:38 +0000 http://www.infosecpodcast.com/?p=174#comment-28004 Hi, Happened to run across this post and just wanted to add that with GoToMeeting we utilize true end-to-end encryption between the participaring endpoints which provides fundamental protection against monitoring by Citrix Online. Our communication servers are only routing opaque, encrypted packets. If the session is recorded, it is recorded in the same encrypted format. This is in contrast to services such as WebEx that only use SSL on the links between endpoints and their data centers and decrypt-switch-then-reencrypt meeting data. (Morale: all claims of "end-to-end" encryption are definitely not equal.) For more details, checkout our security white paper: https://www1.gotomeeting.com/default/downloads/pdf/p/GoToMeeting%5fSecurity%5fWhite%5fPaper.pdf Regards, -John Kennedy Chief Security Architect Citrix Online Hi,

Happened to run across this post and just wanted to add that with GoToMeeting we utilize true end-to-end encryption between the participaring endpoints which provides fundamental protection against monitoring by Citrix Online. Our communication servers are only routing opaque, encrypted packets. If the session is recorded, it is recorded in the same encrypted format.

This is in contrast to services such as WebEx that only use SSL on the links between endpoints and their data centers and decrypt-switch-then-reencrypt meeting data.
(Morale: all claims of “end-to-end” encryption are definitely not equal.)

For more details, checkout our security white paper: https://www1.gotomeeting.com/default/downloads/pdf/p/GoToMeeting%5fSecurity%5fWhite%5fPaper.pdf

Regards,

-John Kennedy
Chief Security Architect
Citrix Online

]]> By: Chris Harrington http://www.infosecpodcast.com/2008/06/security-for-web-meetings/comment-page-1/#comment-27995 Chris Harrington Thu, 26 Jun 2008 03:29:46 +0000 http://www.infosecpodcast.com/?p=174#comment-27995 Thanks Roger. I definitely understand the dangers of any electronic communication. I used to wear that trench coat :) My reason for asking the question was to try and gauge the level of risk people are willing to accept in dealing with these technologies. The bigger concern for me is the ability for participants to share desktops and give control of desktops as part of many web collaboration offerings. Thanks! --Chris Thanks Roger. I definitely understand the dangers of any electronic communication. I used to wear that trench coat :) My reason for asking the question was to try and gauge the level of risk people are willing to accept in dealing with these technologies.

The bigger concern for me is the ability for participants to share desktops and give control of desktops as part of many web collaboration offerings.

Thanks!

–Chris

]]> By: Roger Courville http://www.infosecpodcast.com/2008/06/security-for-web-meetings/comment-page-1/#comment-27994 Roger Courville Thu, 26 Jun 2008 03:09:10 +0000 http://www.infosecpodcast.com/?p=174#comment-27994 If you have a conference call, how secure is it? Can AT&T or Verizon listen in? If so, is it overt or covert? Is the conference call recorded on their servers? Is there any audit trail? Answer those questions, and you'll have a general idea of how transmitting web data is no different than transmitting audio data. Different providers do accomplish it in different ways, so if it's a concern, we should include those questions in our RFPs. I might suggest a better question would be "What data in your organization would you want protected to what degree?" Don't hold a public web seminar if you don't want a competitor to figure out how to attend. Don't have a telephone call (or web meeting) if you don't want to have a chance that someone, legally or illegally, could figure out how to listen in. Arguably web data being encrypted is significantly more secure... Live, private web communications are arguably as secure as the same on a telephone - it's just a different appliance. Governance - if that's your concern - should be no different. If you want to have really private communications, don't send a letter, make a telephone call, or trust a courier. Meet the recipient in an unused part of a large local park and speak in code... wearing a trenchcoat of course :-) ! Good questions ;-) Roger Courville 1080 Group, LLC roger@1080group.com If you have a conference call, how secure is it? Can AT&T or Verizon listen in? If so, is it overt or covert? Is the conference call recorded on their servers? Is there any audit trail?

Answer those questions, and you’ll have a general idea of how transmitting web data is no different than transmitting audio data. Different providers do accomplish it in different ways, so if it’s a concern, we should include those questions in our RFPs.

I might suggest a better question would be “What data in your organization would you want protected to what degree?”

Don’t hold a public web seminar if you don’t want a competitor to figure out how to attend. Don’t have a telephone call (or web meeting) if you don’t want to have a chance that someone, legally or illegally, could figure out how to listen in.

Arguably web data being encrypted is significantly more secure… Live, private web communications are arguably as secure as the same on a telephone – it’s just a different appliance. Governance – if that’s your concern – should be no different.

If you want to have really private communications, don’t send a letter, make a telephone call, or trust a courier. Meet the recipient in an unused part of a large local park and speak in code… wearing a trenchcoat of course :-) !

Good questions ;-)

Roger Courville
1080 Group, LLC
roger@1080group.com

]]>