[jitsi-dev] question about security of meet.jit.si (WebRTC)


#1

Dear Devs,
Besides Jitsi I started to use also your Jitmeet service - both are
working really great, please continue!!!

I want to advertise the usage of https://meet.jit.si to several people
involved with NGOs and wanted to approach you concerning security:

according to the infos on the jitsi homepage the connections are secured
with DTLS/SRTP, so between server and user(s) but not end-to-end (as
with zRTP - if I understood correctly, sorry if I got it wrong...)

Questions:

1) assuming that I trust the operators of the server (videobridge) (=
the jitsi team) - can the communication be intercepted? (man-in-the
middle attack etc?)
2) how is chatting secured to all participants?
3) will an end-to-end encryption be implemented into Jitmeet (similar as
with Jitsi client) ?

kind regards, thx a lot for your great work!

MS

PGP.sig (489 Bytes)


#2

Hi Mr. Smith,

Just a general question...is there any reason you would be unwilling to
host your own jitmeet session and have your friends and NGO groups use it?
The standard answer with trust and security is to do it yourself so you
don't have to worry about anyone monitoring the connections.

I really like meet.jit.si and its potential to help people video chat.
Great efforts have been made by the webrtc world as a group and
particularity by the jitsi team!

Best,
jungle

···

On 20 March 2014 10:00, Mr.Smith <mr.smith476@gmail.com> wrote:

Dear Devs,
Besides Jitsi I started to use also your Jitmeet service - both are
working really great, please continue!!!

I want to advertise the usage of https://meet.jit.si to several people
involved with NGOs and wanted to approach you concerning security:

according to the infos on the jitsi homepage the connections are secured
with DTLS/SRTP, so between server and user(s) but not end-to-end (as with
zRTP - if I understood correctly, sorry if I got it wrong...)

Questions:

1) assuming that I trust the operators of the server (videobridge) (= the
jitsi team) - can the communication be intercepted? (man-in-the middle
attack etc?)
2) how is chatting secured to all participants?
3) will an end-to-end encryption be implemented into Jitmeet (similar as
with Jitsi client) ?

kind regards, thx a lot for your great work!

MS

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
-------
inum: 883510009902611
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si


#3

Hi jungle,
thx for your reply
I am aware and appreciate the huge effort behind such a project.
Even I have been using Jitsi since several years I would described
myself as average user (coming from Skype) - but not as advanced in
programming/setting up own servers as you or most of the forum members.

if the provided link (below) requires just copy/paste of command line
orders to set up the own system, I can give it a try...

Otherwise more hands-on documentation would be required (which I cannot
provide, sorry) to reach the masses of internet users (if one wants to
setup own service)

I still hope to get answers from the developers

https://docs.google.com/document/d/1iMOvIFBDSPSkL1_dfhND_mXvf3luIex9hepeIpTuLkw/pub

PGP.sig (489 Bytes)

···

On 3/20/14 6:24 PM, jungleboogie0 wrote:

Hi Mr. Smith,

Just a general question...is there any reason you would be unwilling
to host your own jitmeet session and have your friends and NGO groups
use it? The standard answer with trust and security is to do it
yourself so you don't have to worry about anyone monitoring the
connections.

I really like meet.jit.si <http://meet.jit.si> and its potential to
help people video chat. Great efforts have been made by the webrtc
world as a group and particularity by the jitsi team!

Best,
jungle

On 20 March 2014 10:00, Mr.Smith <mr.smith476@gmail.com > <mailto:mr.smith476@gmail.com>> wrote:

    Dear Devs,
    Besides Jitsi I started to use also your Jitmeet service - both
    are working really great, please continue!!!

    I want to advertise the usage of https://meet.jit.si to several
    people involved with NGOs and wanted to approach you concerning
    security:

    according to the infos on the jitsi homepage the connections are
    secured with DTLS/SRTP, so between server and user(s) but not
    end-to-end (as with zRTP - if I understood correctly, sorry if I
    got it wrong...)

    Questions:

    1) assuming that I trust the operators of the server (videobridge)
    (= the jitsi team) - can the communication be intercepted?
    (man-in-the middle attack etc?)
    2) how is chatting secured to all participants?
    3) will an end-to-end encryption be implemented into Jitmeet
    (similar as with Jitsi client) ?

    kind regards, thx a lot for your great work!

    MS

    _______________________________________________
    dev mailing list
    dev@jitsi.org <mailto:dev@jitsi.org>
    Unsubscribe instructions and other list options:
    http://lists.jitsi.org/mailman/listinfo/dev

--
-------
inum: 883510009902611
sip: jungleboogie@sip2sip.info <mailto:jungleboogie@sip2sip.info>
xmpp: jungle-boogie@jit.si <mailto:jungle-boogie@jit.si>

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#4

Dear Devs,
Besides Jitsi I started to use also your Jitmeet service - both are
working really great, please continue!!!

I want to advertise the usage of https://meet.jit.si to several people
involved with NGOs and wanted to approach you concerning security:

according to the infos on the jitsi homepage the connections are secured
with DTLS/SRTP, so between server and user(s) but not end-to-end (as
with zRTP - if I understood correctly, sorry if I got it wrong...)

correct.

Questions:

1) assuming that I trust the operators of the server (videobridge) (=
the jitsi team) - can the communication be intercepted? (man-in-the
middle attack etc?)

the bridge is decrypting all traffic. In fact, it's doing a MITM attack against the webrtc clients :wink:

run your own bridge :wink:

2) how is chatting secured to all participants?

Not at all. Each participant is connected via TLS, but that is not end-to-end encryption.
Not that it matters, in-browser-crypto can not to be trusted.

3) will an end-to-end encryption be implemented into Jitmeet (similar as
with Jitsi client) ?

multi-party OTR is still an unsolved problem :-/

Does that help?

···

Am 20.03.2014 18:00, schrieb Mr.Smith:


#5

Hi Philipp,
thx a lot for explanation!

with end-to-end encryption I meant primarily implementation of zRTP for
Audio/Video in JitMeet (and not mpOTR) - would this be possible?

thx and br,
MS

···

On 3/20/14 7:58 PM, Philipp Hancke wrote:

Am 20.03.2014 18:00, schrieb Mr.Smith:

Dear Devs,
Besides Jitsi I started to use also your Jitmeet service - both are
working really great, please continue!!!

I want to advertise the usage of https://meet.jit.si to several people
involved with NGOs and wanted to approach you concerning security:

according to the infos on the jitsi homepage the connections are secured
with DTLS/SRTP, so between server and user(s) but not end-to-end (as
with zRTP - if I understood correctly, sorry if I got it wrong...)

correct.

Questions:

1) assuming that I trust the operators of the server (videobridge) (=
the jitsi team) - can the communication be intercepted? (man-in-the
middle attack etc?)

the bridge is decrypting all traffic. In fact, it's doing a MITM
attack against the webrtc clients :wink:

run your own bridge :wink:

2) how is chatting secured to all participants?

Not at all. Each participant is connected via TLS, but that is not
end-to-end encryption.
Not that it matters, in-browser-crypto can not to be trusted.

3) will an end-to-end encryption be implemented into Jitmeet (similar as
with Jitsi client) ?

multi-party OTR is still an unsolved problem :-/

Does that help?

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#6

Hey MS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Philipp,
thx a lot for explanation!

with end-to-end encryption I meant primarily implementation of zRTP for
Audio/Video in JitMeet (and not mpOTR) - would this be possible?

WebRTC does not support ZRTP so unfortunately not. Even with WebRTC, it would have been very tricky to reliably exclude the bridge out of the conference and make content unavailable to it.

To put things in perspective: your communication is encrypted between you and the bridge. The bridge has access to it so you need to trust the person that runs it. If you do - good. If you don't, then your best option is to run your own bridge.

Cheers,
Emil

···

On 21.03.14, 08:53, Mr.Smith wrote:

thx and br,
MS

On 3/20/14 7:58 PM, Philipp Hancke wrote:

Am 20.03.2014 18:00, schrieb Mr.Smith:

Dear Devs,
Besides Jitsi I started to use also your Jitmeet service - both are
working really great, please continue!!!

I want to advertise the usage of https://meet.jit.si to several people
involved with NGOs and wanted to approach you concerning security:

according to the infos on the jitsi homepage the connections are secured
with DTLS/SRTP, so between server and user(s) but not end-to-end (as
with zRTP - if I understood correctly, sorry if I got it wrong...)

correct.

Questions:

1) assuming that I trust the operators of the server (videobridge) (=
the jitsi team) - can the communication be intercepted? (man-in-the
middle attack etc?)

the bridge is decrypting all traffic. In fact, it's doing a MITM
attack against the webrtc clients :wink:

run your own bridge :wink:

2) how is chatting secured to all participants?

Not at all. Each participant is connected via TLS, but that is not
end-to-end encryption.
Not that it matters, in-browser-crypto can not to be trusted.

3) will an end-to-end encryption be implemented into Jitmeet (similar as
with Jitsi client) ?

multi-party OTR is still an unsolved problem :-/

Does that help?

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.3.1 (Build 13266)
Charset: ISO-8859-1

wsBVAwUBUyvwAnIFU87htrbeAQiviQf/RBOhGhiBaNwERwZ99vHG6M1A1PZXQh6X
lSfZfHK6i2SRonUE8IxWhAdx9jZRS3GVExKlfOT/TA6FgREdUQZkcdjJgofQcekh
QF5MoftyznWajLoywpl8EBvSM/LJvH9F7cqDLo3cGDgDgcY4+jn/6bqPldfZP5YD
r4S8wDbzndZ5PenS8ciAtEqetOBuVKlHHxZYAnsStpHoCAX4Yr91Wkfoc0YqwinP
ZbCnfeyfQ6zg0xeSGJHddhVUxR7iKmUwiU3MJqL9nzxM30JbdzTEv3ZLZ6NushEH
od+Yuc6q2oGBdUh/ESSf3Bs1hD4KiHODBmGjhTCVYTOprZxtXG/xOQ==
=UzKe
-----END PGP SIGNATURE-----

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
https://jitsi.org