Why is RingCentral for Mac trying to access pubsub.pubnub.com?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
I use Little Snitch to monitor network activity on my Mac -- it reports that the RingCentral for Mac application tries to access pubsub.pubnub.com (54.236.3.173 -- which is actually a system in AWS cloud) on port 80.

Does anyone know why it's doing this?  I can't find anything on the RingCentral website except for some references to pubnub embedded in the HTML of one page.
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Brandon

Brandon, Champion

  • 24,740 Points 20k badge 2x thumb
PubNub is a platform used for things like secure messaging and voip applications.  It is nothing to be concerned about in general. https://www.pubnub.com/solutions/
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
In general, I'm concerned about everything ;-)
Photo of Brandon

Brandon, Champion

  • 24,740 Points 20k badge 2x thumb
I get that, but welcome to the modern internet :)  This is the way most modern applications, especially real time communication apps work now.  It is rare to have a one to one client to server relationship anymore.  Facebook, Whatsapp, etc. all bounce through services like this around the globe.  
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
And that's fine, when those apps are sandboxed in iOS -- and when they're not being used for business purposes.  A promiscuous app on a business desktop is a bit more concerning.
Photo of Mike

Mike, Official Rep

  • 94,178 Points 50k badge 2x thumb
Also...

Port 80 and 443 TCP only (These ports are used for initial phone provisioning)

For all network requirements visit: Network requirements
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
It's more than a bit disconcerting to see one company's app open a connection to a third-party location, especially without an explicit mention of this in any documentation.  As a security-conscious person, my first thought was "OMG, does RingCentral have some sort of spyware/trojan infecting their SDK?"

That the app seems to behave fine when the connection is denied makes me even more suspicious.
(Edited)
Photo of Brandon

Brandon, Champion

  • 24,738 Points 20k badge 2x thumb
I suspect *something* in the app will not work or be degraded if that is blocked.
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
It'd be ideal if RingCentral would be forthcoming about what feature(s) are dependent on being able to access which third-party services.  If pubsub is required for, say, salesforce integration, I can sleep easy leaving it blocked.  But, really, they're going to get asked this all the time going forward, as more and more network administrators lock down their networks/applications to prevent side-channel information disclosure.
Photo of Mike

Mike, Official Rep

  • 94,148 Points 50k badge 2x thumb
Hi Jeff,   I understand your concern. I've double-checked with one of our Tier 3 engineers and for this particular issue, pubnub is a partner we use for the HUD feature. 

The combined architecture of the RingCentral Desktop app, RingCentral Meetings and Glip is extremely complex, and it does require Network preparation in order for all services to correctly function.  So, if you ever see anything you are curious about again, please feel free to post here again or give us a call. 

Thanks!

Mike 
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
OK, thanks Mike -- it looks like the HUD feature was optional at some point (https://success.ringcentral.com/articles/RC_Knowledge_Article/8212 ) -- is there some different way to disable it on the more recent desktop application?
Photo of Mike

Mike, Official Rep

  • 94,148 Points 50k badge 2x thumb
If you go to the Settings screen, and click Calls, you'll see a switch to turn it off. 

Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
OK, got it -- I disabled it and restarted the app; attempt to connect to pubsub persists (I confirmed that it was still disabled after restarting the app).
Photo of Mike

Mike, Official Rep

  • 94,148 Points 50k badge 2x thumb
I'll have to check with engineering.  I don't know for sure if that switch actually disables the communication to pubnub, or, there's also a chance that it softphone reaches out to them for some other functionality.  

Mike 
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
Any news on this?  Also, I just noticed that the connection to pubnub is via HTTP (rather than HTTPS).  Does that represent a security vulnerability (i.e., can the session be hijacked by a "man in the middle")?  That pubnub may be used for some other functionality (and seemingly isn't using a TLS-secured connection) makes me even more worried.
(Edited)
Photo of Mike

Mike, Official Rep

  • 94,148 Points 50k badge 2x thumb
Jeff... I haven't been able to find anything else out on this. I think it might be best for you to open a support case and include your findings in the case so that it can be escalated to the appropriate area for research/explanation. 

Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
I haven't had much luck getting anything resolved via support cases (I just get lots of phone calls to my legacy PSTN line from RingCentral "handlers" who seem to be script-reading tier-0 folks put on the case purely to satisfy some metric of having "reached out to customer" but having no ability to investigate/resolve anything -- then the case goes dormant).  But I'm willing to try again...
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
Case Number: 05807980
Photo of Mike

Mike, Official Rep

  • 94,148 Points 50k badge 2x thumb
Thanks Jeff... If you don't feel it's progressing in a satisfactory manner, just reply here and we'll step in and help you out.

Mike
Photo of Brandon

Brandon, Champion

  • 24,738 Points 20k badge 2x thumb
PubNub is a legitimate company and I am sure RingCentral is a customer of theirs and uses their services to provide various features in their apps.  I am not clear on your concern.  Do you just want someone from RC to tell you this authoritatively that traffic to/from the RC app and PubNub is normal and expected?
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
Just had my support ticket closed with "This is case would be best handle by our developer team. Please send an e-mail to devsupport@..."

Awesome sauce.


P.S.  The pubnub "blog" post seems to be for folks with a pubnub account who want to access the ringcentral API, not for people with a ringcentral desktop app who just want to use ringcentral services.
Photo of Brandon

Brandon, Champion

  • 24,738 Points 20k badge 2x thumb
I am still not clear on your concern.  Do you just want someone from RC to tell you authoritatively that traffic to/from the RC app and PubNub is normal and expected?Because I am quite sure it is.  BTW, you will see this same behavior with many other similar apps and of course web sites too.  Try visiting a news site or Facebook, etc without calls to dozens of CDNs, ad networks and servers around the world.
Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
I'm well aware of what other web-based applications might do -- however, they execute in a controlled/sandboxed environment of a browser (or smartphone), not in a standalone desktop application; they also use HTTPS and are bound by browser-enforced origination rules (segregating information to prevent disclosure).  Further, Ringcentral is a business telephony service that I pay for, not a social-networking ad-based toy; there are thus higher standards for confidentiality and authentication.  I'm not sure what "similar apps" you're talking about, but I'm unaware of any SIP-based requirement to make HTTP[S] connections to a third party in order to do call processing.

I'd like definitive answers to:
  1. Is the pubnub connection required only for the HUD as previously mentioned by Mike above (and listed here) or, seeing as how the desktop app still tries to make the connection even if the HUD feature is disabled, is it required (as Mike postulated in another response above) for the other/core functionality of the ringcentral desktop app?  Mike said he would "have to check with engineering" about this; after not hearing anything for 6 months (and having gone through at least one update to the MacOS-based ringcentral desktop app), I ping'd this chain to see if there was any updated information.
  2. If the pubnub connection is required only by HUD, why does the app persist in trying to make the pubnub connection even if the HUD feature is disabled in the app?
  3. If the pubnub connection is actually required for ringcentral POTS/fax/SMS (or even if it's merely for HUD), shouldn't it be using HTTPS (instead of HTTP) to ensure security (confidentiality/authenticity) or is there some other mechanism at play (e.g., nonces/application-level encryption/signatures)? I'm seeing URIs that seem to contain session identifiers (which makes me suspect that the sessions can be hijacked).
  4. If the pubnub connection is required for anything other than HUD, why is it not listed in the aforementioned "network requirements" documents?
I don't want speculative answers; I'd like to hear from someone who knows (or who has talked with someone who knows).  Having worked for the better part of 3 decades in telecom (at Bell Labs, Lucent, AT&T, Acme Packet, etc.) and having worked in computer/communications-security in/since grad school, I'm sincerely hoping that there are folks at RingCentral who have thought about all of these questions -- I'd like to hear answers from them.
Photo of Mike

Mike, Official Rep

  • 94,178 Points 50k badge 2x thumb
Official Response
I confirmed with our Tier 3 engineers that this is legitimate.

Hello,

Pubnub is the 3rd party vendor we use for HUD updates on the softphone. This applies not only to the MAC version but the Windows version of the desktop app as well. So, the traffic seen going to and from their servers is for that specific feature.

 

Thanks,

-Justin

Tier 3 Support Engineer

Photo of Jeff Frontz

Jeff Frontz

  • 356 Points 250 badge 2x thumb
Thanks, Mike -- so the confusing thing remains: that even with the HUD feature disabled in the app, the connection attempt persists.

I'll continue to block pubnub connections from my network and hope that the desktop app is updated to pay heed to the HUD-enabled state before it attempts a pubnub connection.