Blog - Gruveo

Gruveo Security Explained

We at Gruveo take our users’ privacy and security very seriously. In this blog post, we’d like to share some details on the technology behind Gruveo and the security and privacy measures we have in place.

The Gruveo Technology

Gruveo uses WebRTC for all video and voice calls made using its platform. WebRTC is a free, open technology that enables web browsers with Real-Time Communications (RTC) capabilities.

Gruveo uses the browser’s implementation of the WebRTC engine and operates it via the high-level JavaScript APIs exposed by the browser. As such, Gruveo has no way of compromising the internal workings of WebRTC, including its security stack.

Is WebRTC Secure?

WebRTC is often described by the industry professionals as the most secure VoIP solution out there.

WebRTC specification requires that all transferred data – audio, video and custom application payloads – must be encrypted end to end while in transit. This is achieved by employing the following protocols:

  • Datagram Transport Layer Security (DTLS) is used to negotiate the secret keys for encrypting media data and for secure transport of application data via SCTP.
  • Secure Real-Time Transport (SRTP) is used to transport audio and video streams.
  • Secure Real-time Control Transport Protocol (SRTCP) is used for delivery of sender and receiver statistics and control information for an SRTP flow.
  • Stream Control Transport Protocol (SCTP) is used to transport application data on top of the established DTLS tunnel.

DTLS is a privacy protocol that is very similar to TLS (SSL), but with a minimal number of modifications to make it compatible with the UDP transport used by WebRTC. DTLS enables a secure data channel between peers that cannot be tampered with. No eavesdropping or message forgery can occur on a DTLS encrypted connection.

SRTP is a secure variant of the standardized format for delivery of real-time data, such as audio and video over IP networks. SRTP media cannot be decrypted by a third party thus ensuring that IP communications across the Internet remain private. In other words, SRTP ensures that WebRTC voice and video traffic will not be heard or seen by unauthorized parties.

Finally, WebRTC is a peer-to-peer technology where calls are established directly between the peers’ devices for lower latency and added security. In some situations, a peer-to-peer call cannot be established and the call data has to travel through the Gruveo’s servers. However, DTLS and SRTP ensure that the call contents cannot be decrypted on the server even in such a scenario.

Text Messaging Security

All text messages on Gruveo are relayed via Gruveo’s secure servers. The messages are relayed to and from client endpoints in encrypted form using TLS (SSL) as part of the WebSocket Secure (WSS) protocol.

Other Important Considerations

The Gruveo website is only accessible via the secure HTTPS protocol.

Endpoint security is out of Gruveo’s control. For example, we cannot detect or prevent a virus running on a client machine from recording the user’s communications, on Gruveo or otherwise.

All Gruveo users are encouraged to choose longer, non-trivial codes for connecting to ensure against a random third party joining under the same code before the intended counterpart does.

Once a call between two parties has been established on Gruveo, no one else can connect to it, even if they enter the same code. Anyone connecting under the same code while you are talking will get a “busy code” message.

We hope that this has been helpful in understanding how Gruveo protects your privacy and security. If you have more questions, please don’t hesitate to contact us right away.

Gruveo Codes Get Human Touch with Letters Now Allowed

Gruveo codes have been numeric ever since we launched the service last year. The main reason was that we felt there was a smaller chance for error when you had to tell someone a Gruveo code verbally.

However, we quickly discovered that there were issues with numeric codes. First, they are hard to remember. Second, they carry no emotional charge, which further contributes to problem #1. And third, lots of new Gruveo users confuse them with telephone numbers that they can somehow “dial”.

Today, we are addressing these issues by allowing Gruveo codes to contain letters as well as numbers. This means that instead of using a faceless “10910” for a call with your friend Joe, you can go for “joe79”, “joesmith” or even “justchillin” as your code.

The new Gruveo codes may contain letters but they don’t have to. So if all-numeric codes is what you are used to, there is no need to change anything.

Gruveo us on #funkybanana, anyone? 🙂

Thank You!

Wow! The past couple of days have been really crazy over here at Gruveo. Shortly after the Gruveo 2.0 launch, the story was picked by a number of major media outlets across the world and we’re currently going through a massive traffic spike. This is what we call a “Lifehacker test” for our servers – thankfully, they are coping just fine.

Over just the past three days, people from 72 countries used Gruveo to make their “world’s easiest” video call. The story about Gruveo landing on Android has been retweeted over 800 times.

But what’s really important to us is this…

Feedback like this is the best possible payoff for the months of hard work we spent developing Gruveo 2.0. This is what keeps us pushing forward to bring the world’s easiest video calls to everyone. And make no mistake, there is even more exciting stuff coming this summer 🙂

Thank you very much for making it all happen!

Hello Android: The New Gruveo Is Live

The big day has finally come and Gruveo 2.0 is live! Starting today, you can make the world’s easiest video calls on desktop and Android. Try it right now:

Click here for the new Gruveo

Just agree with the other person on a code, enter it on Gruveo and you’re talking. As before, all Gruveo calls are secure, anonymous and require no installs or registration. And check out that call quality – we think you will be pleasantly surprised 🙂

But Wait… There’s One More Thing!

Before you dive in and take Gruveo 2.0 for a ride, there is just one thing we’d like to ask you.

We worked hard to make Gruveo 2.0 happen, and now we need your help. Please spread the word about the new Gruveo! Tweet about it, post about it on Facebook or simply make Gruveo an excuse to call an old friend.

Enjoy – and thank you for being a part of this!

Gruveo 2.0 Launch Date Announced

July 15With beta testing in its final stages, we are thrilled to announce that Gruveo 2.0 will go live on Tuesday, July 15. Just to recap, Gruveo 2.0 is a top-to-bottom rewrite that will allow you to make ultra-easy, secure and anonymous video calls on desktop and mobile. You can read more about Gruveo 2.0 here.

We’ve had tons of fun developing Gruveo 2.0 and we are super-excited to finally get it into your hands. Thankfully, the big date is just round the corner!

Feel free to leave a comment below or contact us directly via our contact form if you have any questions about the upcoming update.

First Screenshots

With Gruveo 2.0 just round the corner, we decided to post some screenshots showcasing the goodies of this major upgrade. Enjoy! 🙂

Make the world’s easiest video calls in style.

No plugins required in supported browsers – it just works.

Beautiful responsive design included.

Works in Chrome, Firefox and Opera on desktop and Android. iOS app to follow.

Like what you see? Leave a comment below!

Gruveo 2.0 Is Underway!

Update July 10: Gruveo 2.0 launch date has been announced.

Update July 4: First screenshots of Gruveo 2.0 have been posted. Click here to check them out!

For almost a year now, Gruveo has been a trusted choice for anyone looking to make super-easy and secure video calls. We are constantly searching for ways to improve our service, and we are happy to announce that a big update to Gruveo will go live in the coming weeks.

What Is Changing?

The current version of Gruveo is based on Flash, and while it has served us well, it’s time to say goodbye. The biggest issue with Flash is that it doesn’t work on mobile devices, and limiting an online service to desktop only in 2014 is just crazy.

We are rebuilding Gruveo with WebRTC, a new standard (part of HTML5) that makes in-browser video calling possible without the need for plugins. WebRTC is already supported by Chrome, Firefox and Opera on desktop and Android. An SDK for developing iOS apps exists as well.

Here is what the new version of Gruveo will bring:

  • Superior audio and video quality
  • Desktop support in Chrome, Firefox and Opera
  • Mobile support in Chrome, Firefox and Opera (Android only)
  • iOS app for making calls on iPhone and iPad (scheduled for summer 2014)
  • Secure, encrypted, peer-to-peer video calling that’s based on an open standard.

What Should I Keep in Mind?

The new Gruveo will be free and ultra-easy to use as before, just better and available on more platforms. However, due to switching to a new standard that’s still under active development, Gruveo 2.0 will currently not work in the following popular browsers:

  • Internet Explorer
  • Safari

If you use one of those, you will have to switch to Chrome, Firefox or Opera (desktop/Android) in order to use Gruveo 2.0. Most users won’t have to though: About 80% of Gruveo callers over the past month enjoyed the service in a Gruveo 2.0-compatible browser.

Don’t Miss the Big Day

Use the subscription form in the top right to subscribe to our Gruveo Connect newsletter and be notified when Gruveo 2.0 goes live. Just enter your email address and click “Sign Up”.

Invite Your Twitter Followers to a Gruveo Call

We have rolled out an exciting update to Gruveo that allows you to quickly invite your Twitter followers to a Gruveo call. All you have to do is start a call and then click the “Tweet” button on the connection screen:

Tweet button on the call waiting screen

Here is what your tweet will look like (you can edit it before posting):

A tweet with a Gruveo call link

Whoever clicks your Gruveo link first will get connected to you and the call will begin. Try it today!

P.S. Don’t feel like inventing a number to start a call with? Just leave the “Number” field empty and Gruveo will do that for you 🙂

Gruveo and the Heartbleed Vulnerability

On April 7, the Heartbleed vulnerability was announced which affects certain versions of the popular OpenSSL software package. OpenSSL is used throughout the Internet to enable secure connections (such as the HTTPS protocol).

We take our users’ security seriously here at Gruveo and have taken the necessary steps to weigh the impact of the vulnerability on our service. We are happy to announce that the affected versions of OpenSSL have never been used by Gruveo and thus we have not been susceptible to the CVE-2014-0160 (“Heartbleed”) bug.

Thank you for using Gruveo and rest assured that your security is of utmost importance to us.

Call Quality Improvements

H.264 logoWe are excited to announce an update to Gruveo that introduces significant improvements to the call picture quality. These improvements have been made possible by dumping the old Sorenson Spark codec used for compressing video and replacing it with the newer H.264.

H.264 is a state of the art codec that offers better video at drastically lower bitrates. Using H.264 allowed us to slash Gruveo’s bandwidth requirements almost in half while offering better picture quality. These quality improvements will be even more pronounced on slower connections.

H.264 is more CPU intensive than the old codec, which may become noticeable on older computers. However, most computers these days have no problem processing H.264, and we feel that the gains in call quality are well worth the switch.

Finally, H.264 encoding is supported by Flash version 11.0 and later, so Gruveo’s required minimum Flash version has been bumped from 10.3 to 11.0. That shouldn’t be an issue for most of our users because less than 1% of them have older versions of the Flash plugin installed. If you have an old version of Flash, please upgrade – it’s totally free.

Try the new Gruveo today and let us know what you think in the comments below!