Hey Jitsi-ers,
I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.
Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.
Thanks,
Yan
···
--
Yan Zhu <yan@eff.org>, <yan@torproject.org>
Staff Technologist
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134