In May 2016, Collaborate Classic was under investigation as part of a general Security Audit at a gov customer organization, which drives Classic successfully since the days of Elluminate. Sadly, Collaborate Classic was severely ranked down in the security audit due to Win Launcher's weakness, while
- Collaborate servers (*.bbcollab.com) reached A+ ranking finally
- Collaborate Classic's basic Java webstart mechanism was quoted to be safe by design
(say client operation! SAS operation is a different chapter of the story, as it requires Java applets)
I'm not allowed to provide any concrete details her, as community "ideas" posts might be public access. However, BtB support advised me to provide my proposal here, as this is the standard business process for any product enhancement request.
Sorry for being that cryptic.
Collaborate product management may revise those BtB support cases for details
- #02323240 - Questions about Collaborate Classic's cryptographic security (main case, contains my solution proposal)
- #02359656 - Clarify Selection of Launcher vs. Java JRE (quick workaround for the customer)
- #02386498 - JRE usage recommended for Collab Classic (contains my solution proposal)
All I can say:
- Collaborate Classic operation was NOT claimed to be unsafe in terms of a special new vulnerability or similar, which might expose anyone to cyber attacks. Relax!
- Collaborate Classic service is just failing compliance with the rules of German Cybercrime Defense for mission-critical organizations. The fail is a matter of well-known basic IT security knowledge. Any skilled security admin would understand this. Therefore, my solution proposal might be relevant for any organization using Collaborate Classic.
- Collaborate Classic might acheive auditor's A rank in total, if Collaborate development provides some Launcher improvements ASAP.
I did report this first by June10th 2016 in the main case given above.
- Blackboard's latest Collaborate Win Launcher v1.6.3 does not implement these changes yet!
- Until a hardened Launcher is available, this particular customer is forced to use Collaborate Classic under hard restrictions only, including
- Any Windows participant's browser used to access Collaborate sessions should adapt my workaround how to use Java JRE instead of Win Launcher. My workaround automatically forces the Collaborate servers to provide JNLP files instead of COLLAB files.
- Due to Collaborate Classic's issue with the latest Java RE, Collaborate participant's need to downgrade their actual JRE to v.8u92
- Any participant is advised to further ignore any Launcher download offers from their Collaborate datacenter.
- Future Win Launcher installation packages must be distributed internally from the BtB admin section's download source only.
(The Admin Launcher 1.6.3 zip download contains both, the admin launcher and the user launcher)
As you might imagine, these restrictions generated some hazzle within the customer organization. As this is a general Cybercrime Defense , the bad ranking may also affect Blackboard's general reputation as a leading SaaS provider dealing with toplevel security constraints.
Apologizes again for having posted such kind of "idea" here.
I welcome any feedback from the community,
but primarily request some advise from Collaborate product management,
how we might proceed best with this issue.
Let me answer one possible comment in advance:
No, Collab Ultra is currently not an alternative for this customer. I tried this approach first ;-),
They decided to choose Elluminate years ago due to it's unique features, which are did not joined Ultra's development roadmap.
|Product Version (if applicable):||1|