[jitsi-dev] Fwd: RE: SSL Security Concern


Ingo is currently unable to access e-mail so he has asked me to resend these on his account:


-------- Original Message --------
Subject: RE: [jitsi-dev] SSL Security Concern
Date: Fri, 4 Oct 2013 14:53:19 +0000
From: Ingo Bauersachs

I'm writing some E-Mails to you, can you forward the without my details this to the list?

You can specify the truststore that Java should use use in the .properties. I don't know the exact property names out of my head, but they are defined in the CertificateService (Truststore file, Truststore type and Truststore password).
With that, you could deploy your own truststore file either on a network share or somewhere locally on the corporate desktop (say, on %ProgramData%\Jitsi).

An option to disable a certificate mismatch override should be fairly simple to implement: a new property that just disables/hides the "continue anyway" button.

Mit freundlichen Grüssen
Maklerzentrum Schweiz AG

Ingo Bauersachs
MSc FHNW in Computer Sciences

Informatik, System Integration

Falls Sie diese Nachricht irrtümlicherweise erhalten haben, bitten wir Sie, die absendende Person zu kontaktieren und diese Nachricht mit allen Anhängen von Ihrem System zu löschen.
From: dev-bounces@jitsi.org [mailto:dev-bounces@jitsi.org] On Behalf Of skyper
Sent: Samstag, 21. September 2013 20:30
To: dev@jitsi.org
Subject: [jitsi-dev] SSL Security Concern


I could not get an answer on the user mailinglist. I'm concerned that jitsi implemented a lax SSL security policy which makes it prone to SSL ManInTheMiddle attacks to easily.

1. How can I configure jitsi to use one (and just one; exclusive) root

certificate and ignore all other system-wide root certs without having to

recompile the source? (and cross platform of course)

2. How can I configure jitsi to fail connecting to the jabber server if the

SSL trust can not be established? Currently in a man-in-the-middle attack

scenario jitsi shows a pop-up that the cert is not trusted (even that previous connections had a trusted certificate) and allows the

user to manually accept the certificate (doh!).

thanks & regards,