We at Gruveo take our users’ privacy and security very seriously. In this blog post, we’d like to share some details on the technology behind Gruveo and the security and privacy measures we have in place.
Gruveo uses WebRTC for all video and voice calls made using its platform. WebRTC is a free, open technology that enables web browsers with Real-Time Communications (RTC) capabilities.
WebRTC is often described by the industry professionals as the most secure VoIP solution out there.
WebRTC specification requires that all transferred data – audio, video and custom application payloads – must be encrypted end to end while in transit. This is achieved by employing the following protocols:
DTLS is a privacy protocol that is very similar to TLS (SSL), but with a minimal number of modifications to make it compatible with the UDP transport used by WebRTC. DTLS enables a secure data channel between peers that cannot be tampered with. No eavesdropping or message forgery can occur on a DTLS encrypted connection.
SRTP is a secure variant of the standardized format for delivery of real-time data, such as audio and video over IP networks. SRTP media cannot be decrypted by a third party thus ensuring that IP communications across the Internet remain private. In other words, SRTP ensures that WebRTC voice and video traffic will not be heard or seen by unauthorized parties.
Finally, WebRTC is a peer-to-peer technology where calls are established directly between the peers’ devices for lower latency and added security. In some situations, a peer-to-peer call cannot be established and the call data has to travel through the Gruveo’s servers. However, DTLS and SRTP ensure that the call contents cannot be decrypted on the server even in such a scenario.
All text messages on Gruveo are relayed via Gruveo’s secure servers. The messages are relayed to and from client endpoints in encrypted form using TLS (SSL) as part of the WebSocket Secure (WSS) protocol.
The Gruveo website is only accessible via the secure HTTPS protocol.
Endpoint security is out of Gruveo’s control. For example, we cannot detect or prevent a virus running on a client machine from recording the user’s communications, on Gruveo or otherwise.
All Gruveo users are encouraged to choose longer, non-trivial codes for connecting to ensure against a random third party joining under the same code before the intended counterpart does.
Once a call between two parties has been established on Gruveo, no one else can connect to it, even if they enter the same code. Anyone connecting under the same code while you are talking will get a "busy code" message.
We hope that this has been helpful in understanding how Gruveo protects your privacy and security. If you have more questions, please don't hesitate to contact us right away.