End-to-End Encryption in Webex

Encryption. We’ve all heard that word, but what does it mean?

Encryption, in short, is the process of encoding data in a certain way so that it’s not easily understand by people who shouldn’t have access to that data. In the security world, there are two types of encryption that matter. Encryption At Rest & Encryption in Transit. Encryption At Rest means that the data is encrypted as it sits on the servers as well as the payload that gets sent to and from its parties. Encryption in Transit is likely a bit more familiar. SSL (Secure Socket Layer) or TLS (Transport Layer Security) are widely used across the internet and in most (if not all) apps you use on a daily basis. Its the process of encrypting the data in transit as it traverses the “wire” from source to destination.


What is E2E encryption?

E2E encryption is a method used to protect the data being sent and received from one party to another in a way that limits the ability for only authorized users to access. It prevents eavesdropping by providers and other entities by the use of encryption keys.


What organizations would use E2E encryption?

Local, State, and Federal Government agencies. Schools, Universities, and Health care facilities.


Why does this matter?

Encryption plays a very important role in how we interact with our work colleagues and potential clients with the use of video conferencing software. Without E2E encryption, all video streams to/from the cloud provider can be viewed. With E2E encryption enabled, the provider sees nothing. If your company requires high levels of security or compliance requirements, this is important.


What encryption capabilities does Webex have?

In a normal Webex Meeting, media streams flowing from a client to Webex servers are decrypted after they cross the  Webex firewall. Cisco can then provide network-based recordings that include all media streams for future reference. Webex then re-encrypts the media stream before sending it to other clients. Webex, like other video conferencing platforms, is not impervious to scrutiny from industry experts and researchers. As recently as January 2020 NIST showcased a large vulnerability present in the 39.11.5 and 40.1.3 versions of  Webex. One big point here is that Webex DOES have E2E encryption capabilities, but not by default. Companies looking to enable E2E encryption must first read the limitations carefully. A good portion of the limitations listed are features you use every day. With E2E encryption, it makes sense why these are no longer available, let’s review:


When E2E encryption is enabled, the following features are not supported:

  • Join Before Host
    • This is due to the host providing the Encrypted Symmetric Key. No host, no key.
  • Telepresence Video End Points (formerly known as Collaboration Meeting Rooms Cloud)
    • This is a huge one. The majority of user join meetings from conference rooms.
  • Webex Meetings Web App
    • Again, another big one. While I don’t know many users join from the Webex Meeting Web App, this hampers the join experience
  • Linux clients
    • <crickets>
  • Network-Based Recording (NBR)
    • NBRs use a form of call forking to create another call leg that gets sent to a server for recording. No key, no recording.
  • Saving session data, Transcripts, Meeting Notes, and etc..
  • Remote Computer sharing
    • The last big issue. Lots of Webex’s are used for sessions that require the presenter giving up their mouse/keyboard to another person. Not possible with Webex E2E encryption enabled.
  • Uploading shared files to the meeting space at the end of the Webex Meetings
  • Personal Meeting Rooms


Why the limitations?

Behind the scenes, the Webex host generates a symmetric key using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). From there, it encrypts it using the public key that the client sends, and sends the encrypted symmetric key back to the client. The traffic generated by clients is encrypted using the symmetric key. In this model, traffic cannot be decoded by the Webex server. This End-to-End encryption option is available for Webex Meetings and Webex Support.


How do I enable E2E encryption for my site?

Make End-to-End Encryption Mandatory for Webex Meetings

1 Sign in to Webex Site Administration and go to Configuration > Common Site Settings > Session Types.
2 In the Session Code column, click the link for each of your site’s custom session types one-by-one, and check the End-to-End Encryption check box. Then select Update. For any new custom session types that you create, be sure to check the End-to-End Encryption check box.
3 After you update the custom session type, check the Default for New Users check box for the session type you just updated, and select Update.

Make End-to-End Encryption Optional for Webex Meetings

1 Sign in to Webex Site Administration, go to Configuration > Common Site Settings > Session Types.
2 In the Session Code column, locate the primary session type you want to create a custom session type for.
3 Select the Add session type for <session type> link.
4 Enter a name for the custom session type.
5 Check the box in the Features column next to End-to-End Encryption and select Add.
6 To enable the session type for specific users, go to User Management > Edit User and check the box for those users under the session type you just created. Those users will have the custom session type available under Meeting type when they schedule meetings using the Advanced scheduler.


Why Webex?

Webex offers a medley of different options to enable your users (who need it) to use E2E encryption on an as-needed basis. Whether your users are scheduling Happy Hour COVID-19 this week or a super secret board meeting requiring E2E encryption, feel good in knowing that while limited in capabilities when enabled, Webex is fully transparent in what it can and can’t do.


If you have any questions or concerns, please reach out to alutz@cloverhound.com. Thanks!