Secure / Encrypted BBB Configuration FAQ or How-To

952 views
Skip to first unread message

Ted Fines

unread,
Jan 13, 2011, 3:16:35 PM1/13/11
to bigbluebu...@googlegroups.com
Hi,

I searched the FAQ, hoping to find an article on BBB encryption.  No luck.  There are a couple threads on the topic in  the archives, but they don't come to a definitive conclusion.

Also, I don't know what might already be encrypted in BBB.  I know there are different software packages that make up BBB, end they probably have to be configured individually for HTTPS or SSL or TLS or what-have-you.  But then this has to be done without breaking the other parts.

A FAQ or How-to on this would be really valuable.  For instance, a question left hanging in the aforementioned thread asks whether the desktop sharing Flash app is already encrypted.  If it is not, does the Flash app itself need to be modified to enable encryption, or can a config file somewhere be modified to enable it?

Since BBB is a complex suite, encryption could be complicated but I think there would only be three main areas.
1) Encrypting authentication
2) Encrypting Inter-process communication on the BBB server
3) Encrypting communication between the BBB server and end-users.

I would think that the majority of BBB installations would have either BBB all on one system, or if on more than one, they would be on the same network, probably even the same server rack and the same VLAN (network segment).  So I would propose making documenting how to get encryption for (2) working a low priority.  In fact, my first thought for an installation where BBB was split between two systems over an unsecured network would be to just establish a system-system vpn with OpenVPN or similar, and not modify BBB's inter-process communication period, if possible.

(1) Encrypting authentication.
If you use the Moodle module for example, authentication and its encryption is handled by Moodle.  This is frankly the only kind I've done, other than the default no-authentication, so I don't have any specific knowledge to add.

(3) Encrypting communication between the BBB server and end-users.
This is the big one, and the one most important to organizations I would think.  If I have uploaded and am sharing a presentation, could someone who intercepts the traffic see it?  What about chat?  Desktop sharing? 

The problem I have, as someone who has just setup a BBB server, is that I am not even sure where I need to look or how to tell.

After installing BBB, I wanted to see what ports were in use.  There are many.  Among them...
5060, 5090 (udp) Freeswitch
5060,5090,8021 (tcp) Freeswitch
80 (tcp) nginx
8100 (tcp) OpenOffice
3306 (tcp) mysqld
1935,8443,9123 (both?)  red5
8161 (?) ActiveMQ
8080,8088,4573,more... (?) tomcat6

Anyway, if one wanted to accomplish the encryption of BBB traffic between the server and clients, what needs to be done?

Thanks,
Ted

Ted Fines

unread,
Jan 17, 2011, 5:18:46 PM1/17/11
to bigbluebu...@googlegroups.com
Hi,

I was just checking in and noticed there wasn't a response to my post about BBB encryption.

I just wanted to make sure my questions didn't come across as just criticisms or that people thought I was just complaining.  I really just wanted to get some information on what client/server traffic is already encrypted between BBB and its users, and/or how to enable encryption in BBB.

So, any information on this that anyone can provide would be helpful.  I understand BBB is open-source and community participation is important.  Were I a developer I'd dive right in, but I'm just not.

The reason this is important to us is that security is a high priority on our campus.  When any new solution is brought up, one of the first things we ask about is whether and how it helps keep our data secure.

Also, if I am asking my questions in the wrong place, please let me know.

Thanks,
Ted Fines
Macalester College

Fred Dixon

unread,
Jan 17, 2011, 6:17:16 PM1/17/11
to bigbluebu...@googlegroups.com
Hi Ted,

Not at all! We were *more than* happy to see your post.

At the moment, we (the core developers) have not put effort into
making BigBlueButton secure. We've been pretty busy with record and
playback and are working hard to get that in place.

For (2), I would offer that if your machine is locked down (i.e. not
accessible without a using a private key to login), then the
interprocess communication should also be secure.

We've had some thoughts on (3), but before we share making
suggestions, we want to test things internally first. No time frame
on when we'll get to the security side, but it is in our issue
tracker:

http://code.google.com/p/bigbluebutton/issues/detail?id=726

Regards,... Fred

> --
> You received this message because you are subscribed to the Google Groups
> "BigBlueButton-Setup" group.
> To post to this group, send email to bigbluebu...@googlegroups.com.
> To unsubscribe from this group, send email to
> bigbluebutton-s...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/bigbluebutton-setup?hl=en.
>

Reply all
Reply to author
Forward
0 new messages