Jistsi's security problem by design

I have been running an instance for quite a while. It usually works great except for this problem:

When you are hosting a meeting, it becomes a race of who logs in first to have admin powers. Not only that, If I win the race, and I am the Admin of the meetin, and all of the sudden my internet / computer goes down, I can re log, but I am no longer the Admin.

This issues can potentially give the meeting control to someone undesired.

Andy ideas?

Welcome to the forum.

This is not a ‘security problem’, it’s actually just the way meet.jit.si is set up. Meet.jit.si is a fully-functional demo site that allows anyone to use it in moderator-status. So, everyone in the meeting has moderator-level rights. This is by design to allow everyone access to all of Jitsi’s features (which is only possible by having moderator rights).

If you want more control over Jitsi, you either have to spin your own server or subscribe to 8x8 (they have an incredible promo now for just 99 cents a month).

Thanks for the quick answer, I did mention I am running my own server… It still behaves that way, There must be then some configurations that I am not aware of.

Aaaaah my apologies, that totally skipped me.

Yes, you need to implement Secure domain to control who can start meetings on your server e.t.c… Once you set it up, only an authenticated user (a.k.a. moderator) can start meetings, so no one can get into a meeting room before that user. Check instructions here on how to - https://jitsi.github.io/handbook/docs/devops-guide/secure-domain

1 Like