How is information protected in transit between BBB clients?

[Ihor Horoshko]

Hello!
Can you please tell me how encryption is provided in the BBB? Do we have only from client number one to the server and from server to client number two, or is there direct encryption from client number one to client number two and there is no intermediary between these two clients that performs decryption-encryption?
Thanks for the info!

[Brent W. Baccala]

There's no direct client-to-client communication or encryption.  Everything runs through the server.  The server-to-client channels are all pretty well encrypted, but everything is processed unencrypted on the server.

    agape

    brent

[Ihor Horoshko]

Thanks a lot for the quick and detailed answer!

воскресенье, 19 июня 2022 г. в 19:37:21 UTC+3, Brent W. Baccala:

[Ihor Horoshko]

Is end-to-end encryption used between server and client? Or what other method provides encryption?

воскресенье, 19 июня 2022 г. в 19:37:21 UTC+3, Brent W. Baccala:

There's no direct client-to-client communication or encryption.  Everything runs through the server.  The server-to-client channels are all pretty well encrypted, but everything is processed unencrypted on the server.

[basisbit]

Yes, transport encryption (you can call it "end-to-end encryption between server and clients") is used everywhere by default in BBB. TLS is used for any TCP HTTP traffic, and dTLS is used for the UDP RTP traffic. The WebRTC connections are thus secured using DTLS-SRTP, and fingerprint checking is implemented - the fingerprint for the dTLS certificate is transferred over the TLS secured websocket connection (DTLS-SRTP) to the client. The defaults configuration of nginx HTTPS webserver site (part of the BigBlueButton server) contains a pretty good and tight configuration and is very easy to adjust / tighten further if needed. TLS client authentication can optionally be configured/enabled there, if needed.

If you have any more questions about any details, please feel free to ask!