Code With Me security
Code With Me is a powerful tool that gives you an ability to collaboratively work on your code. With that ability comes responsibility to keep your code and level of access secure. The following are questions that might arise when you give access to your computer in the Code With Me session.
How and what data is going through JetBrains' servers?
Your project data is going through JetBrains' servers end-to-end encrypted. The end-to-end encryption is secure only when a host and a guest verify that the security code matches on both ends. Otherwise, the end-to-end encryption is susceptible to MitM.
Local IP addresses, project name, and username are shared without encryption as they are used for letting JetBrains establish a session between a host and a guest. When initiating a new Code With Me session, the host communicates with JetBrains server over TLS1.2+.
Code With Me communicates through an open source distributed protocol created by JetBrains and uses TLS 1.3 for end-to-end encryption.
If you don't want your data to go via JetBrains servers, you can configure the on-premises servers.
What project data is accessed by JetBrains?
JetBrains accesses local IP addresses, project name, and username. JetBrains doesn't access information related to project contents such as sources, project files, config files, because this information is flowing through its servers end-to-end encrypted.
What data is collected during a live session?
JetBrains doesn't inspect or collect any data on the code that is shared during the Code With Me sessions because the information is flowing through the JetBrains servers end-to-end encrypted.
Are any files stored locally on the guest's machine?
No, the shared code resides on the host's machine and is not uploaded to or stored in the cloud or the guests’ computers.
Both the host and guests can collect and store locally log files that include detailed information about the session such as user names, remote addresses with which the connection was established, caret movements, typed symbols, invoked actions, parts of file contents, files opened, file paths, and so on.
What files are accessible by the guests? Are they restricted to a particular working directory?
There are no restrictions in accessing different parts of the host’s project, executing code, or working in the terminal tool window during an active session if the host gives permissions.
How do I use Code With Me behind proxy?
If you work in a local network, you can bypass proxy restrictions by using a private on-premises server.
As an alternative, you can add the following urls to the allowed list:
How do I run a secure Code With Me session as a host?
Share an invitation link to the Code With Me session only with people you trust. Do not accept guests you don't know or you are not sure about to the session. Do not hardcode any sensitive information inside your code such as passwords, usernames, and so on. The level of access you grant in your session should match the level of trust you have for your guests.
How does a host authorise guests to their session?
A host creates an invitation link for the Code With Me session and sends it out to guests. When a guest accepts a link with the security code that matches on both ends, the host confirms the access the Code With Me session. Only after the confirmation the guest is able to join the session.
What can a host control?
As a host, you can control what guests can see and have access to during the session. You can remove guests even after they have accessed the session. You can hide certain files from the access and control the access to the terminal on your computer.
When you create an invitation link, you can configure all of the guest permissions before you send out the invitation link. For more details, refer to the permissions section.
Code With Me provides a hide files feature that allows some parts of the IDE to hide these files for specific guests (for example, the IDE will not indicate or show these files). This feature can be used regardless of the level of guest access. However, this is provided for convenience rather than as a guaranteed restriction, and does not eliminate access possibilities connected with a guest’s use of command line interface functionality.
Can a host change permissions for some of the guests in a session?
Yes, even if permissions are configured for all of the guests before the session, the host can change permissions for individual guests during the Code With Me session.
Can a host limit guest's activity in the full access mode?
Yes, a host can hide certain files from accessing and change permissions for individual guests restricting access during the Code With Me session.
Hosts can set aside files using the "hide" function so they are not easily accessed or found by standard means of access. Each guest collects their own log, but no other storage functionality is provided by Code With Me, although you should be aware that third-party applications can be used to record coding sessions and data.
Are audio / video calls encrypted?
The audio and video calls between two participants are not end-to-end encrypted by default, but it can be enabled in the call security options.
The audio and video calls for more than two participants such as video conferences are not end-to-end encrypted. However, such encryption is in development.
Who has an access to audio or video in the Code With Me sessions?
Only a host and the accepted guests have access to audio and video during the Code With Me session.
Does Code With Me save video, audio, or chat records after the session?
No, Code With Me doesn't save any video or audio calls and doesn't keep any chat records after the session is finished.
Can unauthorized guests join a Code With Me session?
Each guest has to wait for the host approval before they can join the Code With Me session.
Hosts are provided with a security code for each guest; however the host remains responsible for verifying the identity of the guests.
What kind of data does a client persist during a session?
The Code With Me client, along with the settings chosen, persists on each guest's machine.
How is the communication established?
Host and Guest exchange Code With Me session information via API endpoints at https://code-with-me.jetbrains.com
After that, the Guest and Host are trying to connect in the following ways until one succeeds:
Host opens the first available TCP port in 5990-65536 range and waits for the Guest to connect (direct connection);
Host and Guests listen to a random UDP port and try to establish a peer-to-peer connection (p2p connection).
See UDP_hole_punching for a general description.
That's the same method any VoIP client uses (e.g., Skype, Slack, Google Meet, etc.)
As the last resort, Host and Guest try to communicate via JetBrains-provided relays.
Voice and Video calls are going a different route. Video/Voice chat support is provided by Jitsi video conferencing technology.
Host and Guest are trying to establish peer to peer connection.
If it's failed, they'll try to use TURN servers provided by third-party.
Traffic for both p2p and TURN server connection is end to end encrypted.
For calls with more than 2 people, video/voice traffic goes via JetBrains-provided servers.