[jitsi-users] A Jitsi newb with some questions


#1

Hello Everyone,
I'm a new Jitsi user and I have two questions that I can't seem to find the answer to. I'm hoping someone here can help me out.
1. I was browsing the RiseUp site and they mentioned that they could not recommend Jitsi as a secure alternative to Skype because of a few issues. They didn't go into those issues so I don't know what they were. Can anyone tell me what problems there might be with Jitsi security that might compromise security in certain hostile situations? I know that Phil Zimmermann mentions something about the Speex codec and ZRTP not working well together because of some data leakage. Is that the issue or is RiseUp just getting it wrong?
2. This one is easy: how does one turn of those annoying notifications when someone is writing a message. They are distracting. I've tried turning off 'network events' or whatever it's call but that didn't work. Can anyone help?
Thanks!Anthony


#2

I believe that the issue was related to TLS and how the TLS settings are
used by default. I'll ask the guys that wrote that page and see what
about any outstanding issues.

All the best,
Jacob

···

On 05/25/2012 04:54 PM, Anthony Papillion wrote:

Hello Everyone, I'm a new Jitsi user and I have two questions that I
can't seem to find the answer to. I'm hoping someone here can help me
out. 1. I was browsing the RiseUp site and they mentioned that they
could not recommend Jitsi as a secure alternative to Skype because of
a few issues. They didn't go into those issues so I don't know what
they were. Can anyone tell me what problems there might be with Jitsi
security that might compromise security in certain hostile
situations? I know that Phil Zimmermann mentions something about the
Speex codec and ZRTP not working well together because of some data
leakage. Is that the issue or is RiseUp just getting it wrong?


#3

Thanks, Jacob. Do you know if this issue has been resolved yet?

A

···

On 5/25/2012 7:42 PM, Jacob Appelbaum wrote:

On 05/25/2012 04:54 PM, Anthony Papillion wrote:

Hello Everyone, I'm a new Jitsi user and I have two questions that I
can't seem to find the answer to. I'm hoping someone here can help me
out. 1. I was browsing the RiseUp site and they mentioned that they
could not recommend Jitsi as a secure alternative to Skype because of
a few issues. They didn't go into those issues so I don't know what
they were. Can anyone tell me what problems there might be with Jitsi
security that might compromise security in certain hostile
situations? I know that Phil Zimmermann mentions something about the
Speex codec and ZRTP not working well together because of some data
leakage. Is that the issue or is RiseUp just getting it wrong?

I believe that the issue was related to TLS and how the TLS settings are
used by default. I'll ask the guys that wrote that page and see what
about any outstanding issues.


#4

Anthony Papillion wrote:

Hello Everyone,

I'm a new Jitsi user and I have two questions that I can't seem to find
the answer to. I'm hoping someone here can help me out.

1. I was browsing the RiseUp site and they mentioned that they could not
recommend Jitsi as a secure alternative to Skype because of a few
issues. They didn't go into those issues so I don't know what they were.
Can anyone tell me what problems there might be with Jitsi security that
might compromise security in certain hostile situations? I know that
Phil Zimmermann mentions something about the Speex codec and ZRTP not
working well together because of some data leakage. Is that the issue or
is RiseUp just getting it wrong?

Well first of all you should ask for specific issues they think Jitsi
has to have something to discuss here.

There are other codecs besides speex if you feel that isnt good or
whatever - for example Silk is the codec used in Skype and it works
great with Jitsi.

2. This one is easy: how does one turn of those annoying notifications
when someone is writing a message. They are distracting. I've tried
turning off 'network events' or whatever it's call but that didn't work.
Can anyone help?

I think proactive typing notifications is the correct thing to turn off.

···

Thanks!
Anthony

--
O zi buna,
Kertesz Laszlo


#5

I use Jitsi with Ubuntu 12.04. It takes so looooong to load or start
up, and then when I dial a phone number, it takes soooo long to connect.
By contrast, SFLphone and Ekiga are fast. Is there something I am doing
wrong in the setup? How can I correct this?

Pablo


#6

Ubuntu 12.04 64 bit, jitsi 1.0.1-build.3967

When making a sip call I receive this error:

(log in attachment)

An error occurred while sending invite request

net.java.sip.communicator.service.protocol.OperationFailedException: An error occurred while sending invite request
     at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.throwOperationFailedException(ProtocolProviderServiceSipImpl.java:2387)
     at net.java.sip.communicator.impl.protocol.sip.CallPeerSipImpl.invite(CallPeerSipImpl.java:1490)
     at net.java.sip.communicator.impl.protocol.sip.CallSipImpl.invite(CallSipImpl.java:194)
     at net.java.sip.communicator.impl.protocol.sip.OperationSetBasicTelephonySipImpl.createOutgoingCall(OperationSetBasicTelephonySipImpl.java:233)
     at net.java.sip.communicator.impl.protocol.sip.OperationSetBasicTelephonySipImpl.createCall(OperationSetBasicTelephonySipImpl.java:154)
     at net.java.sip.communicator.impl.protocol.sip.OperationSetBasicTelephonySipImpl.createCall(OperationSetBasicTelephonySipImpl.java:114)
     at net.java.sip.communicator.impl.gui.main.call.CallManager$CreateCallThread.run(CallManager.java:1219)
Caused by: net.java.sip.communicator.service.protocol.OperationFailedException: An error occurred while creating session description
     at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.throwOperationFailedException(ProtocolProviderServiceSipImpl.java:2387)
     at net.java.sip.communicator.impl.protocol.sip.sdp.SdpUtils.createSessionDescription(SdpUtils.java:194)
     at net.java.sip.communicator.impl.protocol.sip.CallPeerMediaHandlerSipImpl.createFirstOffer(CallPeerMediaHandlerSipImpl.java:133)
     at net.java.sip.communicator.impl.protocol.sip.CallPeerMediaHandlerSipImpl.createOffer(CallPeerMediaHandlerSipImpl.java:108)
     at net.java.sip.communicator.impl.protocol.sip.CallPeerSipImpl.invite(CallPeerSipImpl.java:1473)
     ... 5 more
Caused by: javax.sdp.SdpException: The parameter is null
     at gov.nist.javax.sdp.SessionDescriptionImpl.setOrigin(SessionDescriptionImpl.java:480)
     at javax.sdp.SdpFactory.createSessionDescription(SdpFactory.java:79)
     at net.java.sip.communicator.impl.protocol.sip.sdp.SdpUtils.createSessionDescription(SdpUtils.java:143)
     ... 8 more

Regards

Daniele

2012-07-11@16.57.10-logs.zip (7.39 KB)


#7

Anthony Papillion wrote:

1. I was browsing the RiseUp site and they mentioned that they could not
recommend Jitsi as a secure alternative to Skype because of a few
issues. They didn't go into those issues so I don't know what they were.
Can anyone tell me what problems there might be with Jitsi security that
might compromise security in certain hostile situations? I know that
Phil Zimmermann mentions something about the Speex codec and ZRTP not
working well together because of some data leakage. Is that the issue or
is RiseUp just getting it wrong?

Well first of all you should ask for specific issues they think Jitsi
has to have something to discuss here.

I've done just that a few times over the last three weeks but have
received no response from them. That's why I was turning to this list,
hoping someone might know what they're talking about. Perhaps the FAQ
just hasn't been updated in a while and it's outdated. I'll try to do
some more digging and see if I can get an answer from them.

There are other codecs besides speex if you feel that isnt good or
whatever - for example Silk is the codec used in Skype and it works
great with Jitsi.

I personally haven't looked at any of the codecs myself yet. I'm simply
going on what Zimmermann said. I seem to remember him saying something
about being able to recognize individual words when using Speex even
with ZRTP. I'll look it up again and be clearer in my next post.

As for Silk, I like the codec and it seems very efficient though I know
nothing about how secure it is overall. That's one of the reasons I
joined this list: to follow discussion about these very issues.

2. This one is easy: how does one turn of those annoying notifications
when someone is writing a message. They are distracting. I've tried
turning off 'network events' or whatever it's call but that didn't work.
Can anyone help?

I think proactive typing notifications is the correct thing to turn off.

That worked. I've been in that area five or six times looking how to
turn it off and, every single time, I've missed the 'proactive typing
notification' item. Thanks!

Anthony

···

On 5/25/2012 7:14 PM, Kertesz Laszlo wrote:


#8

Thank you! Interesting paper!

A

···

On 5/25/2012 7:37 PM, Bzzz wrote:

On Fri, 25 May 2012 19:22:06 -0500 > Anthony Papillion <anthony@papillion.me> wrote:

There are other codecs besides speex if you feel that isnt good
or whatever - for example Silk is the codec used in Skype and it
works great with Jitsi.

I personally haven't looked at any of the codecs myself yet. I'm
simply going on what Zimmermann said. I seem to remember him
saying something about being able to recognize individual words
when using Speex even with ZRTP. I'll look it up again and be
clearer in my next post.

This touches all CODECs that uses a VBR, here's the original paper:
http://www.cs.jhu.edu/~cwright/oakland08.pdf


#9

This touches all CODECs that uses a VBR, here's the original paper:
http://www.cs.jhu.edu/~cwright/oakland08.pdf

JY

···

On Fri, 25 May 2012 19:22:06 -0500 Anthony Papillion <anthony@papillion.me> wrote:

> There are other codecs besides speex if you feel that isnt good
> or whatever - for example Silk is the codec used in Skype and it
> works great with Jitsi.

I personally haven't looked at any of the codecs myself yet. I'm
simply going on what Zimmermann said. I seem to remember him
saying something about being able to recognize individual words
when using Speex even with ZRTP. I'll look it up again and be
clearer in my next post.

--
We must know, we will know.
    -- David Hilbert


#10

Bzzz wrote:

There are other codecs besides speex if you feel that isnt good
or whatever - for example Silk is the codec used in Skype and it
works great with Jitsi.

I personally haven't looked at any of the codecs myself yet. I'm
simply going on what Zimmermann said. I seem to remember him
saying something about being able to recognize individual words
when using Speex even with ZRTP. I'll look it up again and be
clearer in my next post.

This touches all CODECs that uses a VBR, here's the original paper:
http://www.cs.jhu.edu/~cwright/oakland08.pdf

JY

Ok. I skimmed over the paper. Basically encrypted voice communication
can be recognized partially especially if vbr codecs are used.

Now i fail to see why the guys over RiseUp connected this issue to Jitsi
specifically. If its true it affects ALL voice programs including Skype
that uses only vbr codec (whereas in Jitsi you can use fixed bandwidth
codecs, that seem to be more resilient to these techniques).
Did anyone try to record a zrtp-encrypted conversation?

···

On Fri, 25 May 2012 19:22:06 -0500 > Anthony Papillion <anthony@papillion.me> wrote:

--
O zi buna,
Kertesz Laszlo


#11

I use Jitsi with Ubuntu 12.04. It takes so looooong to load or start

Jitsi does start noticeably slowly on my Ubuntu 12.04 but the time it
takes there is comparable to the time it takes to start up on Mac OS X
and Windows so it's kind of the expected behavior.

At times Jitsi takes a bit longer to start up due to network
conditions but these are again observed on the other supported
operating systems as well. You could send us Jitsi's logs
(https://jitsi.org/index.php/Documentation/FAQ#logs) in case they show
anything unexpected.

up, and then when I dial a phone number, it takes soooo long to connect.

This is a known issue. Could you please file a report in our issue
tracker (https://jitsi.org/index.php/Development/BugsAndIssues)?

By contrast, SFLphone and Ekiga are fast. Is there something I am doing
wrong in the setup? How can I correct this?

I don't think you're doing anything wrong in that respect.

···

2012/5/27 Carola y Pablo <stuckybyler2@yahoo.es>:


#12

Bzzz wrote:

There are other codecs besides speex if you feel that isnt good
or whatever - for example Silk is the codec used in Skype and it
works great with Jitsi.

I personally haven't looked at any of the codecs myself yet. I'm
simply going on what Zimmermann said. I seem to remember him
saying something about being able to recognize individual words
when using Speex even with ZRTP. I'll look it up again and be
clearer in my next post.

This touches all CODECs that uses a VBR, here's the original paper:
http://www.cs.jhu.edu/~cwright/oakland08.pdf

JY

Ok. I skimmed over the paper. Basically encrypted voice communication
can be recognized partially especially if vbr codecs are used.

Or entirely. Basically, VBR codecs are unsafe, even with ZRTP or ZRTP
like protocols. :frowning:

Now i fail to see why the guys over RiseUp connected this issue to Jitsi
specifically. If its true it affects ALL voice programs including Skype
that uses only vbr codec (whereas in Jitsi you can use fixed bandwidth
codecs, that seem to be more resilient to these techniques).
Did anyone try to record a zrtp-encrypted conversation?

My understanding is that this issue is totally unrelated to ZRTP - the
issue in question was about TLS support for the main XMPP client
connections. If I understand the issue correctly, Jitsi would fail open
when attempting to make TLS enabled XMPP connections - thus it was
possible to do SSL/TLS stripping and MITM a client.

I asked the original riseup author about it and he said that it appears
to have been fixed in the latest stable Jitsi release but that he would
test it against an XMPP server without TLS support.

All the best,
Jacob

···

On 05/25/2012 06:11 PM, Kertesz Laszlo wrote:

On Fri, 25 May 2012 19:22:06 -0500 >> Anthony Papillion <anthony@papillion.me> wrote:


#13

Now i fail to see why the guys over RiseUp connected this issue to
Jitsi specifically.

There's no reason to link speech recognition to any program
specifically, only to CODECs.

If its true

Usually, university researchers avoid publishing hoaxes.

it affects ALL voice programs
including Skype that uses only vbr codec

skype has never been considered really secured by crypto
specialists; real good crypto have to be cryptanalysed (a lot)
before saying it's unbreakable (at test time!).
skype conversations are also claimed eavesdropped by Austrians:
http://www.pcworld.com/businesscenter/article/149119/how_secure_is_skype_really.html
and 2 french researchers have decompiled the code (sorry, I lost the
link) and this show that more than one key could apply to one
encryption.

Did anyone try to record a zrtp-encrypted conversation?

Recording is easy, decrypting is the problem:)
However if I remember well, it seems there could be a risk at the
first communication, the one that establish the SAS link between the
2 stations: http://www.zrtp.org/peer-review

Another important point is: crypto code can be absolutely sure,
tested & reviewed by cryptanalysts and declared safe; but very badly
injured by poor random generators.

Quantum computing can also looks like a big threat, however it is not
really achieved, and the day it'll be they'll discover that quantic
interferences can be... exotic enough to clobber the whole
process 99% of the time ]:wink:

The only 100% secured crypto you can count on is to share a
disposable (very) long string w/ your partner (to XOR your
conversation bytes) and trash its bytes as soon as they are used
(otherwise, you doomed with a superposition attack).
As far as you meet others sometimes, it is possible to use several
digital books in several languages, re-organize words (randomly cut,
add, remove letters & spaces & bits), and share this secret hand to
hand with your buddy.

JY

···

On Sat, 26 May 2012 04:11:09 +0300 Kertesz Laszlo <laszlo.kertesz@gmail.com> wrote:
--


#14

Hey all,

My understanding is that this issue is totally unrelated to ZRTP - the
issue in question was about TLS support for the main XMPP client
connections. If I understand the issue correctly, Jitsi would fail open
when attempting to make TLS enabled XMPP connections - thus it was
possible to do SSL/TLS stripping and MITM a client.

I asked the original riseup author about it and he said that it appears
to have been fixed in the latest stable Jitsi release but that he would
test it against an XMPP server without TLS support.

This was indeed fixed in r8905:

Revision: 8905
Author: s_vincent

Log Message:

···

On Sat, May 26, 2012 at 6:20 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
Date: 2011-09-16 12:28:53 UTC
------------
Requires TLS for XMPP connection. If server does not support TLS, the
GUI will show message telling user to tick a checkbox in the account
configuration that will allow non-secure connection to XMPP server
(disabled by default).

Hope this helps,
Emil


#15

Thank you for you reply

I am attaching the log following startup and then dialing a number,
which after 45 seconds gave the reply that the other party had not
answered, which actually wasn't so since the phone at the other end
didn't ring.

About filing a report on the slowness of connecting, I went to the page
you listed, but I was not sure how to proceed, so I let it go.

Pablo

2012-05-28@20.19.30-logs.zip (106 KB)

···

El dom, 27-05-2012 a las 18:52 +0300, Lyubomir Marinov escribió:

2012/5/27 Carola y Pablo <stuckybyler2@yahoo.es>:
> I use Jitsi with Ubuntu 12.04. It takes so looooong to load or start

Jitsi does start noticeably slowly on my Ubuntu 12.04 but the time it
takes there is comparable to the time it takes to start up on Mac OS X
and Windows so it's kind of the expected behavior.

At times Jitsi takes a bit longer to start up due to network
conditions but these are again observed on the other supported
operating systems as well. You could send us Jitsi's logs
(https://jitsi.org/index.php/Documentation/FAQ#logs) in case they show
anything unexpected.

> up, and then when I dial a phone number, it takes soooo long to connect.

This is a known issue. Could you please file a report in our issue
tracker (https://jitsi.org/index.php/Development/BugsAndIssues)?

> By contrast, SFLphone and Ekiga are fast. Is there something I am doing
> wrong in the setup? How can I correct this?

I don't think you're doing anything wrong in that respect.