[jitsi-dev] security in chat


#1

Hi,
I'm using jitsi 2.3.4668.9744-1. I have a chat related problem
which reminds me the problem raised at this thread:
http://lists.jitsi.org/pipermail/dev/2013-May/016952.html

In the chat window, I check the "Secure chat", "Enable private
messaging", "Automatically initiate private messaging" and
"Require private messaging" boxes. Then I click the "Invite"
button and invite other people in the chat. Lets say I'm user
"A", and user "B" and "C" are invited.

At user "A" interface the icon showing encryption state is
locked. It can be clicked on and able to change settings. However
user "B" and user "C" encryption state icon is not locked and
disabled.

This confuses the invited users because they didn't know whether
the connection is secure (encrypted) or not.

In case of conference call this problem is solved/worked around
by not even showing the encryption icon to those ("B" and "C")
users. Is it possible that this problem can be solved the way
just like the other?

On the other hand is it possible that his is indeed not a visual
problem and the connection is not secured at all?

···

--
    Regards,
            Zsiga


#2

Other than, what's available from the underlying protocol (like TLS for
XMPP) Jitsi does not provide any encryption for multi-user text chats.

--sent from my mobile

···

On Jun 12, 2013 9:24 AM, "Kosa Attila" <atkosa@mithrandir.hu> wrote:

Hi,
I'm using jitsi 2.3.4668.9744-1. I have a chat related problem
which reminds me the problem raised at this thread:
http://lists.jitsi.org/pipermail/dev/2013-May/016952.html

In the chat window, I check the "Secure chat", "Enable private
messaging", "Automatically initiate private messaging" and
"Require private messaging" boxes. Then I click the "Invite"
button and invite other people in the chat. Lets say I'm user
"A", and user "B" and "C" are invited.

At user "A" interface the icon showing encryption state is
locked. It can be clicked on and able to change settings. However
user "B" and user "C" encryption state icon is not locked and
disabled.

This confuses the invited users because they didn't know whether
the connection is secure (encrypted) or not.

In case of conference call this problem is solved/worked around
by not even showing the encryption icon to those ("B" and "C")
users. Is it possible that this problem can be solved the way
just like the other?

On the other hand is it possible that his is indeed not a visual
problem and the connection is not secured at all?

--
                Regards,
                                    Zsiga

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

Thank you for the fast reply. Some question arosed in me
regarding the answers.

- If Jitsi itself didn't encrypt what are purpose of the lock
  icons?

- If the chat is between only two person, are there any
  encryption by Jitsi?

- Is it technical or other reason that because there is no
  encryption in multi user chats?

- Can this locks be removed from multi user chats? The opened
  lock signs can be as confused as they are in conference calls.
  (at that case, the solution was the removal of the icons).

- Can Jitsi 'sense' that the XMPP communication is forcedly
  happens over TLS? At this case everything happens over an
  encrypted channel, so the lock signs can be remained but locked
  indeed. In this case an unlocked lock sign could show that the
  underlying protocoll is not or possibly not encrypted.

···

On Wed, Jun 12, 2013 at 09:27:47AM +0200, Emil Ivov wrote:

Other than, what's available from the underlying protocol (like TLS for
XMPP) Jitsi does not provide any encryption for multi-user text chats.

--
    Regards,
            Zsiga


#4

Thank you for the fast reply. Some question arosed in me regarding
the answers.

- If Jitsi itself didn't encrypt what are purpose of the lock
icons?

I assume that you have started a chat by adding another person to your
current conversation. Its just a graphical remainder without purpose.
If you join a group via file>join chatroom there wont be any lock

- If the chat is between only two person, are there any encryption
by Jitsi?

Yes it does, it uses OTR for that purpose (http://www.cypherpunks.ca/otr/)

- Is it technical or other reason that because there is no
encryption in multi user chats?

Yes, OTR does not work on MUCs; in theory it would be possible to
negotiate a symmetric key via OTR witch each of the participants and
then encrypt using that key, but no such thing is implemented.

- Can this locks be removed from multi user chats? The opened lock
signs can be as confused as they are in conference calls. (at that
case, the solution was the removal of the icons).

they will be gone if you join the conference via the menu

- Can Jitsi 'sense' that the XMPP communication is forcedly happens
over TLS? At this case everything happens over an encrypted
channel, so the lock signs can be remained but locked indeed. In
this case an unlocked lock sign could show that the underlying
protocoll is not or possibly not encrypted.

no, they can not be locked, as your server administrator and the
server administrators of all the chat participants could be men in the
middle.

- --
Yannik V�lker

···

On 13.06.2013 12:12, Kosa Attila wrote:


#5

[full of useful stuff]

Thank you for your interest and quick responses. I'll think about
it.

···

On Thu, Jun 13, 2013 at 01:34:28PM +0200, Yannik V�lker wrote:

--
    Regards,
            Zsiga