Is a Jitsi-meet server hosted on a VPS, really secure?

I found out that VPS provider normally have access to your data on the server, and also root access (not sure if this is valid for all the VPS providers).

Nevertheless, wish to know how secure audio/chat/video conversations are in the case when Jitsi-meet is on an external server.

And how to eventually improve security: I know a home self hosted solution would be greater security, but this is a bit limited by bandwidth at the moment

I’m not an expert on jitsi but I don’t think I have to be one to answer this question: No, it’s not secure. There is the promise that they are going to add real end to end encryption (by encrypting the frames with a password the server doesn’t know, I don’t know what their plan for audio is) but unfortunately we don’t have this feature yet.

Traffic is encrypted between client and server, but not end to end encrypted. Someone with root access to your server could, if they knew what they were doing, observe and possibly manipulate it.

But, by default, anyone can join a jitsi conference once the room is opened (although you’d see this in the interface), so you’d need to modify that aspect of it too.

(The question really is “is it secure enough for your threat model?” rather than “is it secure?”.)

If I understood correctly, it is end to end encrypted (and peer to peer) if its between 2.
All goes to the server with 3, or more, participant.

Is it so?

And if it is so, can you claim that is totally secure when just 2 people talk/video?

Personally, I wouldn’t claim anything was “totally secure”.

Not even if the server is self hosted?

I would not claim anything was “totally secure”.

More important, though, is whether what you have set up is secure enough for your use case.

1 Like

Why is this more secure?

Like you mention there could be a bandwith restriction. And the connection in a data center has higher speed than a home internet connection. Also there are more hops between your home server and the end user. Which affects the speed and increases the risk of someone listening to the traffic.
Those aren’t about security of the vps though but a performance thing.

Because you own the hardware and only you have access to it.

On a VPS setup your provider may have full access to the OS.

About the hardware you’re right. But the access to your house is easier than accessing a data center. And because it’s full of servers someone has to know which servers belongs to you.
A data center logs who enters the building, has security camera’s, fire extinguishers and 24 hours a day security. If you don’t trust the people of a data center (I assume you pick a center with good reputation) than certainly don’t trust your internetprovider :slight_smile:

because you own the server, and if the video meeting is with 3 or more participant, the video is decrypted on the server, so if you do not own the server the real owner can/could view/record the video call

if its encrypted that should not be a problem wherte the communication goes … no?

If I understood correctly

  • between 2 pariucipants the call is E2E encrypted and p2p, so I guess very difficult if not impossible for “Big Bother” to listen/record
  • between 3 participants the call is E2E encrypted, but not p2p, because the server needs to decrypt the video call, so if Big Brother has access to the server it can listen/record. In this case if YOU own the server the communciation should still be secure

if Big Brother has a warrant he enters wherever he wants. But video/audio if its NOT recorded is only live, if they come inside your house you know it when they come, if they go inside the data center you DO NOT know it when they enter. And they oblige the data center to show which is your server.

The so called “free world” has become more communist then the former communist block in this regard

I get your point and you’re right. If all the horror happens you describe they will inform you when they’re at your door :smiley: And if it comes that far they have contacted your internet provider already to close any connection.
In our case, it won’t come that far because we don’t allow just anybody. Only our customers.

Yes its a live call, if they are at my door I just close the video call :smiley: or if they asked the provider to close the call, well ok, fine, I start a new one after connecting with TOR :stuck_out_tongue:

which is your case?

In my threat model the security risks at my home are inferior to those in a datacenter.
If yours indicates a server in a datacenter is better, go for it.

1 Like