[jitsi-dev] BIG SECURITY issue (maybe already known)


#1

Hello,

By an absolute chance, I have come across this 2 years-old post:

http://markmail.org/message/ciszy5z2cevs3ni3

This sounded pretty thrilling from security point of view, so I went
ahead and checked the situation on my Jitsi 2.4.4997, which I am

running on Windows 7. I was SHOCKED, that in the path:

C:\Users\<myuser>\AppData\Roaming\Jitsi\history_ver1.0

there are .xml files, which contain the chat history in plain text !!!
And this is a huuuuge security hole !!! Why bother to implement
all those ultra-secure protocols and encryption ??? The good hackers
are always going the easiest way - why to crack the encryption, when
all I need is AVAILABLE on the ultra-weak windows PC!! So, anyone
who is able to hack himself into a Windows system, can obtain the
contents of all the conversations !! I understand very well, that it is
possible to turn chat logging off, but from security point of view, NO
logging should be the DEFAULT option !! And only useres who insist
on having chat history, can enable it, and at this point, a HUGE warning
dialog should come up, showing that chats are saved in plain text and
the conversation is secure as secure the current computer is!!
Or even further - if you insist on storing chat logs, why aren't they
stored in encrypted format ???
Yes, there is an option for everything, but how many % of the users
will not check all the Jitsi options (which are quite a lot!) ? And will
put themselves at security risks ? And this issue has been discovered
2 YEARS ago and nothing has been done yet ? I am shocked...

So, guys, please take care of this HUGE issue right with the very next
version of Jitsi !! What a wonderful program, but it can be even better!!

Many thanks t


#2

Hi Symon,

When using OTR, Jitsi (at least the nightlies) informs the user about logging and that it can be turned off.

One point with the encryption in OTR is the protection against eavesdropping on your communication when your messages travels the network and especially on intermediate Jabber servers where the messages otherwise would be in plain text. So there is a point with secure protocols.

Also if somebody can hack into your running system there is not much that could have been done to protect your logs anyway.

Personally I would not run an ultra-weak Windows PC for any reason.

Regards,
Markus

···

On 22 August 2014 01:35:42 CEST, Symon Cooper <regaeton@ymail.com> wrote:

Hello,

By an absolute chance, I have come across this 2 years-old post:

http://markmail.org/message/ciszy5z2cevs3ni3

This sounded pretty thrilling from security point of view, so I went
ahead and checked the situation on my Jitsi 2.4.4997, which I am

running on Windows 7. I was SHOCKED, that in the path:

C:\Users\<myuser>\AppData\Roaming\Jitsi\history_ver1.0

there are .xml files, which contain the chat history in plain text !!!
And this is a huuuuge security hole !!! Why bother to implement
all those ultra-secure protocols and encryption ??? The good hackers
are always going the easiest way - why to crack the encryption, when
all I need is AVAILABLE on the ultra-weak windows PC!! So, anyone
who is able to hack himself into a Windows system, can obtain the
contents of all the conversations !! I understand very well, that it is
possible to turn chat logging off, but from security point of view, NO
logging should be the DEFAULT option !! And only useres who insist
on having chat history, can enable it, and at this point, a HUGE
warning
dialog should come up, showing that chats are saved in plain text and
the conversation is secure as secure the current computer is!!
Or even further - if you insist on storing chat logs, why aren't they
stored in encrypted format ???
Yes, there is an option for everything, but how many % of the users
will not check all the Jitsi options (which are quite a lot!) ? And
will
put themselves at security risks ? And this issue has been discovered
2 YEARS ago and nothing has been done yet ? I am shocked...

So, guys, please take care of this HUGE issue right with the very next
version of Jitsi !! What a wonderful program, but it can be even
better!!

Many thanks t

------------------------------------------------------------------------

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.


#3

Hi Symon,

I don't know the actual reason but I would guess that it just hasn't
been implemented.

You can have your account passwords encrypted based on a password that
you type i every time you start Jitsi so some of the infrastructure is
already there.

However, having full-disk encryption, I am not so concerned with my chat
history in case my laptop gets lost.

And as said, if your computer is hacked while running the encryption key
being in memory (unless you use a hardware token or some OS-level
support) could anyway be recovered so that does not protect your logs
completely anyway.

Cheers,
Markus

···

On 2014-08-24 23:29, Symon Cooper wrote:

Hello Markus,

many thanks for answering me, I totally agree with what you said...
Please just kindly let me know, why Jitsi is not encrypting
the logs, but is is saving them in a plain-text .xml file?
That is the only thing I can't get here...

Thanks a lot!

On Saturday, August 23, 2014 10:07 PM, Markus Kil�s > <subjunctive.post@gmail.com> wrote:

Hi Symon,

When using OTR, Jitsi (at least the nightlies) informs the user about
logging and that it can be turned off.

One point with the encryption in OTR is the protection against
eavesdropping on your communication when your messages travels the
network and especially on intermediate Jabber servers where the messages
otherwise would be in plain text. So there is a point with secure protocols.

Also if somebody can hack into your running system there is not much
that could have been done to protect your logs anyway.

Personally I would not run an ultra-weak Windows PC for any reason.

Regards,
Markus

On 22 August 2014 01:35:42 CEST, Symon Cooper <regaeton@ymail.com> wrote:

    Hello,

    By an absolute chance, I have come across this 2 years-old post:

    http://markmail.org/message/ciszy5z2cevs3ni3

    This sounded pretty thrilling from security point of view, so I went
    ahead and checked the situation on my Jitsi 2.4.4997, which I am
    running on Windows 7. I was SHOCKED, that in the path:

    C:\Users\<myuser>\AppData\Roaming\Jitsi\history_ver1.0

    there are .xml files, which contain the chat history in plain text !!!
    And this is a huuuuge security hole !!! Why bother to implement
    all those ultra-secure protocols and encryption ??? The good hackers
    are always going the easiest way - why to crack the encryption, when
    all I need is AVAILABLE on the ultra-weak windows PC!! So, anyone
    who is able to hack himself into a Windows system, can obtain the
    contents of all the conversations !! I understand very well, that it is
    possible to turn chat logging off, but from security point of view, NO
    logging should be the DEFAULT option !! And only useres who insist
    on having chat history, can enable it, and at this point, a HUGE warning
    dialog should come up, showing that chats are saved in plain text and
    the conversation is secure as secure the current computer is!!
    Or even further - if you insist on storing chat logs, why aren't they
    stored in encrypted format ???
    Yes, there is an option for everything, but how many % of the users
    will not check all the Jitsi options (which are quite a lot!) ? And will
    put themselves at security risks ? And this issue has been discovered
    2 YEARS ago and nothing has been done yet ? I am shocked...

    So, guys, please take care of this HUGE issue right with the very next
    version of Jitsi !! What a wonderful program, but it can be even
    better!!

    Many thanks t

    ------------------------------------------------------------------------

    dev mailing list
    dev@jitsi.org
    Unsubscribe instructions and other list options:
    http://lists.jitsi.org/mailman/listinfo/dev

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.