Security Overview

The most effective way to keep your data private and secure is to focus on the fundamentals, Glance has adopted the following security practices.

Do not store data unless it’s needed

The surest way to keep data private is to not gather or store it in the first place. Glance only gathers and stores data if there’s a clear operational need for it.

Password security

We do not store user passwords. Instead, we store password hashes. We use the industry-standard BCrypt hashing algorithm with 16-character random salts. This password security scheme makes it extremely difficult for bad actors to guess passwords from stored hashes. And, Glance enforces password-complexity rules.

Nevertheless, Glance strongly encourages you to use industry-standard Single Sign-on (SSO) mechanisms, such as SAML 2.0, to eliminate the need for Glance to store your passwords.

Cross-site scripting security

The Glance web application is built to resist attack. We use locked-down dedicated web servers and database servers, with all unnecessary features removed to reduce the attack surface. Glance has development policies and tools in place to create code that resists injection, cross-site scripting, and request-forgery attacks.

Glance uses cryptographically random session keys with automatic expiration to resist credential-replay attacks. We store only hashed passwords, hashed according to current security best practice (Bcrypt with 16-character random salts). Each customer may select their own password-complexity standards. Glance’s architectural design prohibits the downloading or uploading of any data to the session servers.

Glance uses a host-based intrusion detection system to identify suspicious behavior. Server updates and patches are applied in accordance with the severity of the issues they address both weekly and monthly. Because attack vectors are always evolving, Glance tests its application for vulnerabilities at least twice a year with the latest version of tools such as BurpSuite and ZAPScan. All vulnerabilities are repaired as they are uncovered. Security policies are endorsed by the CTO.

Information Storage

Glance Networks stores the session details from any given session. Glance only stores session metadata and does not store any data from the session itself.

Glance stores the following session metadata:

  • start time
  • stop time
  • number of guests that join the session
  • participants’ Internet Protocol (IP) addresses, from which it is possible to infer geographic location.
  • the Glance URL (Agent Glance Address)
  • the Session Type (whether a Cobrowse or a Screen Share session)

Internal Glance Monitoring

If requested by a customer via written correspondence, an authorized Glance Super-user can join an active session for the purpose of testing or monitoring activities. Glance requires the unique session ID and the Glance user address to locate and join that session. We do not actively monitor any sessions and make it a practice to not join any session unless otherwise required by our customers.

Glance cobrowsing has the capability to escalate sessions from one-to-one to many-to-one. This enables an agent to invite another authorized agent to join the in-process Cobrowse session. Doing this means the agent may escalate the conversation from one agent to two agents and have a soft handoff with the end-customer.

Firewalls and Proxies

Glance Screen Share automatically senses and works with most proxy server and firewall configurations, without needing adjustments by technical staff and by identifying the best protocol for each participant’s network environment.

Each participant reaches the Glance Screen Share service with an outward-bound connection, using TLS to port 5501. If that attempt is denied or times out, Glance Screen Share tunnels HTTPS to the standard port 443. Since TLS is more efficient than HTTPS, a company that blocks port 5501 might consider adding a rule to their firewall policy that allows outbound connections to those ports at the glance.net servers. Contact Glance support (support@glance.net) for a list of IP ranges and ports.

Glance Cobrowse and Glance Video session servers use secure https and WebSocket connections to communicate with browsers.

Auto Reconnects

Some Glance participants may have slow or unreliable Internet connections, due to a weak wireless signal, spotty mobile service, an unresponsive proxy server, or an interfering network security device.

If the connection drops or times out, Glance automatically attempts to reconnect for up to two minutes. Should the problem persist, Glance tunnels over HTTP/HTTPS.

Encryption

Glance encrypts almost all sessions. Session traffic between each participant and the Glance service uses modern Transport Layer Security (TLS) technology.

Each participant’s computer or mobile device uses TLS to negotiate the connection’s cipher suite and key length. Glance also sends each participant a digital certificate, signed by DigiCert or Thawte. The participant’s browser can pass it to a certificate authority to validate Glance’s identity before proceeding. Each connection is then encrypted using the strongest method the corresponding participant supports. SSL, TLS versions earlier than TLSv1.2, and earlier transport security standards are obsolete and disallowed by all Glance servers.

Any participant that cannot establish a secure connection to an encrypted session is denied entry.

Call Records

Glance archives various metrics about each session:

  • Each participant’s Internet Protocol (IP) address, from which it is possible to infer geographic location.
  • Each participant’s entry and departure times, and total duration.
  • Guest’s contact info (name, email address, phone), when gathered by request of the session host and supplied by the guest..

The session host or their group’s administrator can view or download these records in CSV format by logging into the My Account area. These metrics cannot be edited or altered. All My Account browser sessions are secured by HTTPS.

Glance expunges IP addresses from Call Detail Records when they are three months old. Glance expunges guest contact info when it is six months old. And, Call Detail Records are deleted entirely when they are two years old.

Glance never stores or records the content of sessions.

Glance TLS Supports

Encryption uses a protocol standard known as Transport Layer Security (TLS), which is a technical detail about how Glance (and other web applications and web properties) keep your information-and your customers’ information-private and intact on the internet.

When you access Glance with a web browser, you use the https: prefix on web addresses; for example, you can log in to Glance by visiting https://www.glance.net/login. The https: prefix causes your web browser and our servers to exchange encrypted information over the internet connection between them. The same happens when you use your integration software and our servers to exchange information.

Glance accepts TLSv1.2+.

If you use the Glance Client and experience any issues, verify you are using a modern browser.