On April 7, the Heartbleed vulnerability was announced which affects certain versions of the popular OpenSSL software package. OpenSSL is used throughout the Internet to enable secure connections (such as the HTTPS protocol).
We take our users’ security seriously here at Gruveo and have taken the necessary steps to weigh the impact of the vulnerability on our service. We are happy to announce that the affected versions of OpenSSL have never been used by Gruveo and thus we have not been susceptible to the CVE-2014-0160 (“Heartbleed”) bug.
Thank you for using Gruveo and rest assured that your security is of utmost importance to us.
We are excited to announce an update to Gruveo that introduces significant improvements to the call picture quality. These improvements have been made possible by dumping the old Sorenson Spark codec used for compressing video and replacing it with the newer H.264.
H.264 is a state of the art codec that offers better video at drastically lower bitrates. Using H.264 allowed us to slash Gruveo’s bandwidth requirements almost in half while offering better picture quality. These quality improvements will be even more pronounced on slower connections.
H.264 is more CPU intensive than the old codec, which may become noticeable on older computers. However, most computers these days have no problem processing H.264, and we feel that the gains in call quality are well worth the switch.
Finally, H.264 encoding is supported by Flash version 11.0 and later, so Gruveo’s required minimum Flash version has been bumped from 10.3 to 11.0. That shouldn’t be an issue for most of our users because less than 1% of them have older versions of the Flash plugin installed. If you have an old version of Flash, please upgrade – it’s totally free.
Try the new Gruveo today and let us know what you think in the comments below!
Update August 15, 2014: The below post applies to an earlier version of Gruveo that used Flash. Click here for a detailed review of the current version’s security.
2013 has brought revelations about the massive scale of US surveillance on Internet communications. People all over the world learned that most of their Internet activities are routinely logged, recorded and analyzed. In light of these revelations, we at Gruveo feel that it’s our duty to explain to our users how their calls are protected and what mechanisms we use to ensure the security of their Gruveo communications.
The first thing to note is that wherever possible, all Gruveo calls are established using the so-called peer-to-peer (P2P) technology where data flows directly between the users’ computers. Almost by definition, the absence of a middle point relaying your calls means that it’s harder for a third party to intercept them.
Whether a call is established using P2P is determined by the firewall configuration of the particular pair of users. If a call cannot be established via P2P, it is relayed using our secure servers. Gruveo is quite good in “piercing” firewalls to establish P2P calls, however: 63.1% of the past month’s calls were established over peer-to-peer.
The decentralization brought by peer-to-peer is just part of the story. No matter if your call is established via P2P or not, it is encrypted end to end as part of the RTMFP protocol (P2P), or RTMPS/RTMPTS (non-P2P). In RTMFP, all network traffic is encrypted using 128-bit cipher. RTMPS/RTMPTS rely on the industry-standard SSL standard for traffic encryption.
Last but not least, given how Gruveo connects users, isn’t it possible that someone else can connect to your call just by accidentally entering the same number while you’re talking to somebody? The answer is no – once a Gruveo call is established, it is “sealed” and anyone entering the same number will create a new session just as if your call didn’t exist.
We have just rolled out an important update to Gruveo that focuses on improving call stability and quality. You will automatically enjoy this latest version of Gruveo the next time you log on to www.gruveo.com. However, if that doesn’t happen and you start experiencing issues establishing calls, just clear your browser’s cache and restart your browser.