[jitsi-users] Bug report: turn off image autoloading during OTR mode

Yan_Zhu · July 29, 2014, 8:31pm

Hey Jitsi-ers,

I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.

Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.

Thanks,
Yan

···

--
Yan Zhu <yan@eff.org>, <yan@torproject.org>
Staff Technologist
Electronic Frontier Foundation https://www.eff.org
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134

pakito · July 29, 2014, 10:28pm

Yeh, i agree, IMHO it would be useful at least to show a warning about
it when a OTR chat is started and in the chat preferences window...

- --
PGP/GPG Key 0x840759B0 on hkp://pool.sks-keyservers.net
Fingerprint CE77 230D E55B C49C BDCD BCEF 66FD 3C46 8407 59B0

···

On 29.07.2014 22:31, Yan Zhu wrote:

Hey Jitsi-ers,

I noticed today that Jitsi auto-loads image URLs during OTR
sessions, including over clear HTTP. IMO, this shouldn't be the
default behavior, because it leaks content from a private
conversation to (1) the server hosting the image, and (2) local
network attackers if the image is not HTTPS.