Update August 15, 2014: The below post applies to an earlier version of Gruveo that used Flash. Click here for a detailed review of the current version’s security.
2013 has brought revelations about the massive scale of US surveillance on Internet communications. People all over the world learned that most of their Internet activities are routinely logged, recorded and analyzed. In light of these revelations, we at Gruveo feel that it’s our duty to explain to our users how their calls are protected and what mechanisms we use to ensure the security of their Gruveo communications.
The first thing to note is that wherever possible, all Gruveo calls are established using the so-called peer-to-peer (P2P) technology where data flows directly between the users’ computers. Almost by definition, the absence of a middle point relaying your calls means that it’s harder for a third party to intercept them.
Whether a call is established using P2P is determined by the firewall configuration of the particular pair of users. If a call cannot be established via P2P, it is relayed using our secure servers. Gruveo is quite good in “piercing” firewalls to establish P2P calls, however: 63.1% of the past month’s calls were established over peer-to-peer.
The decentralization brought by peer-to-peer is just part of the story. No matter if your call is established via P2P or not, it is encrypted end to end as part of the RTMFP protocol (P2P), or RTMPS/RTMPTS (non-P2P). In RTMFP, all network traffic is encrypted using 128-bit cipher. RTMPS/RTMPTS rely on the industry-standard SSL standard for traffic encryption.
Last but not least, given how Gruveo connects users, isn’t it possible that someone else can connect to your call just by accidentally entering the same number while you’re talking to somebody? The answer is no – once a Gruveo call is established, it is “sealed” and anyone entering the same number will create a new session just as if your call didn’t exist.