How can I recognize a secure videoconference?

The security of videoconferencing solutions is often difficult to assess. Users are often dependent on the promises of the providers without knowing whether all the necessary security measures are actually implemented. Security processes take place at the protocol level and are not immediately visible or comprehensible to users. This carries the risk that potential security gaps are overlooked.

How can I ensure that my video conference remains secure with different dial-in formats?

The security of video conferencing depends heavily on the devices and communication protocols used:

• Desktop/laptop: Protective mechanisms can be flexibly implemented on these devices because they are developed platform-dependently. To ensure security, you should make sure that all devices have the latest operating systems and security updates installed. It is also recommended to use strong authentication (e.g. two-factor authentication) and security protocols such as TLS (Transport Layer Security) and end-to-end encryption. Selecting a trusted video conferencing software that is regularly subjected to security audits is also crucial.
• Smartphones/Tablets: These devices offer similar security options to desktops, but limitations such as battery life can affect end-to-end encryption. This is because when the battery is low, processes such as continuous encryption may be suspended or restricted to save power. To prevent this, you should make sure that the device is always sufficiently charged and use energy-efficient, secure apps that also support encryption in power-saving mode.
• SIP phones/conference systems: These devices can be secured by open standards such as SIPS (Session Initiation Protocol Secure) and SRTP (Secure Real-time Transport Protocol). However, they do not offer end-to-end encryption because the data can be decrypted on servers between the call partners. To improve security, administrators should ensure that these standards are implemented correctly and updated regularly.
• H.323 phones/conference systems: Encryption is also possible here according to the standard, but again without end-to-end encryption. The H.323 devices can be secured by protocols such as H.235, which enable authentication and encryption of the signaling data. To ensure maximum security, the devices should be updated to the latest version of the protocol.
• Telephone (classic telephone dial-in): The security options for classic telephone dial-in are very limited because the public telephone network does not support encryption. A serious risk is that caller numbers can be faked (spoofing). For maximum security, alternative, more secure dial-in options such as encrypted VoIP services should be considered.

The German Federal Office for Information Security (BSI) has published detailed guidelines for securing IP-based voice telecommunications, which are used in particular by security authorities. These requirements can be found in the BSI's technical guidelines, such as TR-02102-2. These define standards and measures for the secure encryption of voice communication. 

Which settings should be activated or deactivated during a video conference?

Certain security functions should always be activated for every secure video conference:

• Transport encryption: All communication data, including meta data, must be transmitted in encrypted form. End-to-end encryption is ideal.
• Infrastructure configuration: Servers, firewalls, DNS and call number filters must be configured correctly to prevent attacks. 
• Call number management: Participants should only see abbreviated call numbers to protect privacy.

Incidentally, with OpenTalk these security measures are controlled centrally, so that users do not have to deal with technical details.

What should a user bear in mind independently of the software?

In general, end users should be careful with links and attachments that they receive from unknown sources. Otherwise, they have little influence on the security of the video conferencing systems used. More crucial are centrally controlled security measures that are implemented transparently.

OpenTalk offers full transparency by publishing the source code on OpenCoDE.de and using the European Public License (EUPL).

How do I recognize a secure provider?

A secure provider of a video conferencing solution should meet the following criteria:

• Server location in Europe: To meet the requirements of the GDPR, servers should be located within the EU, ideally in Germany.
• Data processing agreement (DPA): A DPA is necessary to ensure that the provider complies with data protection guidelines.
• On-premise option: A solution that can also be installed in your own infrastructure guarantees digital sovereignty. This is particularly important for companies and public authorities that want full control over their data and security.

OpenTalk offers both SaaS and on-premise solutions to provide complete control over systems, data and security as needed.