Is Talky truly secure?

Talky Kickstarter is live

At &yet, we take privacy and security seriously. We even have a dedicated security team (Lift Security) that performs security audits for many well-known companies.

Talky security is more than just making sure the “lock” icon is present in your browser’s tab for your Talky.io session. It involves that, but also the connection between your browser and other people in the session, which can be direct (for one-to-one calls) or through the Jitsi Videobridge (for multi-party calls). Another aspect of security is what we do with any information gathered during the session, such as logging and log storage.

To answer these questions we need to examine the two primary ways Talky is used—making a one-to-one call with someone else or making a many-to-many call.

Both the one-to-one and many-to-many call types first require you connect with your browser to the Talky.io website. This connection is protected using industry-standard Transport Layer Security (TLS). During this connection we record your IP address and your browser’s UserAgent (e.g., Chrome or Mozilla). This information is logged to disk and stored for a maximum of 7 days.

After you connect to the website, your browser downloads JavaScript code for the Talky application. If you decide to join a session on the “hair check” page, your browser then uses XMPP (Extensible Messaging and Presence Protocol) for “command-and-control” purposes. This XMPP connection is also fully encrypted using TLS.

Most of the features we support in Talky use standard XMPP extensions for things like call signaling or exchanging messages. There are a few things we do that aren’t yet standardized, but we’re working to standardize them through the XSF (XMPP Standards Foundation). All of the data transferred is fully auditable by checking the network console, as the protocol is fully documented.

When the second person joins the Talky room, the signaling information from both sessions is shared via the XMPP connection. The respective browsers will then make a WebRTC connection using Perfect Forward Secrecy if supported (which it is both in Chrome and Firefox). If the browsers are unable to make a direct connection for voice and video because of NATs and firewalls, then a relay TURN server will be used. All connections established via the TURN server are encrypted during transit and the data retained in memory only.

If no other people join the room then the Talky session is end-to-end encrypted with zero information about the voice and video data being stored or logged.

If any other person connects to an active Talky session, then the other sessions in that room will receive an event via their XMPP connection that the room is changing to a many-to-many session and the client will start connect to the Jitsi Videobridge that we run. We use a media bridge in the multi-party case so your browser doesn’t need to encode video streams to every other participant (which uses a lot of bandwidth and CPU, and therefore doesn’t scale up very well).

Each browser now connects to an assigned Jitsi Videobridge using a variant of TLS called DTLS (Datagram Transport Layer Security). In order to do its job, the bridge needs to decrypt the voice and video data sent to it. However, the encryption keys are not persisted to disk and are only available in memory. We also do not log or store any session data on the media bridge server—the voice and video data is decrypted only in memory.

Please be aware if you are connecting to Talky.io using one of the mobile clients and have enabled the sending of Crash Reports, some of the data will be stored and accessible by the mobile vendor as the Crash Reports are stored on the vendor’s system.

More details are available in the Talky privacy and security policy. And, as always, let us know if you have questions about Talky or any other &yet service.

Want to know more about Talky? Visit Talky.io and check out our Kickstarter to take our video chat service to the next level.

You might also enjoy reading:

Blog Archives: