bbb-recording-exporter icon indicating copy to clipboard operation
bbb-recording-exporter copied to clipboard

Published 20 hours ago verified publisher icon danielpetri1

Security Analysis

Open timmwille opened this issue 3 years ago • 1 comments

First of all a huge thank you @danielpetri1 for this amazing work. I've also scanned through your thesis and must say this holds lots of potential for the future of BBB.

I am in the luxury position to have access to a server with this feature to test (I'm not the Sys Admin though) and while I was going through the individual parts of the work I was wondering if there was more detail on the security analysis. A good reason to look close to possible breaches is the fact, that this data recorded/downloaded is critical, of course needs to be protected the best way possible.

I found this part under section 4.3 Dynamic Analysis

With the help of these tools, the post-publish scripts passed Sonar Cloud’s6 quality gates concerning bugs, security vulnerabilities, code smells, and code duplication in the PRs submitted to BBB.

I'm not an expert on Security Analysis but would like to get some insights. When I share this new level of BBB with my Colleagues and Community I know for certain this will be the main first question I have to answer :)

Feel free also to point me towards a source of information I might have missed.

Thank you again for all the amazing work and all people from the community who helped on the way. :+1:

timmwille avatar Jan 18 '22 17:01 timmwille

Hi @timmwille! Thank you very much for your kind words. I'm by no means a security expert but below are some points that I can bring up about this.

  1. The video uses the same data as the playback does. So it is as safe as the browser playback is, so to speak. If anyone in the world has the meeting ID of the recording, they can generate the PDF + MP4 as well. You don't even need access to a server, you can download the files on your desktop PC and render a video without access to a server.

  2. The elements should appear in the video exactly like the they do in the playback. I say should because there are reported edge cases where this is not the case. For instance, in the version of the thesis, the zoom sometimes showed bigger sections than appeared in the browser. This was intentional but has been since then been retracted after some people brought privacy concerns up. And yesterday an issue was opened reporting that text can show outside of the box that the user added (it doesn't get cut off in the MP4).

  3. If the anonymous chat names function is turned on, the names will be randomized through different re-renders of the same video and differ from the anonymous version contained elsewhere. So user Alice can use her same name in 100 different names and it will show up differently every time (e.g. humil-bosek, sonax-nefas), making sure there is no way to track the same user across classes.

That's all I can think of off the top of my head, let me know if you have any further questions. Cheers.

danielpetri1 avatar Jan 18 '22 20:01 danielpetri1