By an absolute chance, I have come across this 2 years-old post:
This sounded pretty thrilling from security point of view, so I went
ahead and checked the situation on my Jitsi 2.4.4997, which I am
running on Windows 7. I was SHOCKED, that in the path:
there are .xml files, which contain the chat history in plain text !!!
And this is a huuuuge security hole !!! Why bother to implement
all those ultra-secure protocols and encryption ??? The good hackers
are always going the easiest way - why to crack the encryption, when
all I need is AVAILABLE on the ultra-weak windows PC!! So, anyone
who is able to hack himself into a Windows system, can obtain the
contents of all the conversations !! I understand very well, that it is
possible to turn chat logging off, but from security point of view, NO
logging should be the DEFAULT option !! And only useres who insist
on having chat history, can enable it, and at this point, a HUGE warning
dialog should come up, showing that chats are saved in plain text and
the conversation is secure as secure the current computer is!!
Or even further - if you insist on storing chat logs, why aren't they
stored in encrypted format ???
Yes, there is an option for everything, but how many % of the users
will not check all the Jitsi options (which are quite a lot!) ? And will
put themselves at security risks ? And this issue has been discovered
2 YEARS ago and nothing has been done yet ? I am shocked...
So, guys, please take care of this HUGE issue right with the very next
version of Jitsi !! What a wonderful program, but it can be even better!!
Many thanks t