I just want to note we at OpenITP are also concerned about images
loading over HTTP; encrypted modes should not send cleartext traffic.
Emil, can we ensure this bug gets addressed?
Gus
Message: 6
Date: Tue, 29 Jul 2014 13:31:46 -0700
From: Yan Zhu <yan@eff.org>
To: users@jitsi.org
Subject: [jitsi-users] Bug report: turn off image autoloading during
OTR mode
Message-ID: <53D804B2.1030401@eff.org>
Content-Type: text/plain; charset="iso-8859-1"
Hey Jitsi-ers,
I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.
Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.
We actually had image loading disabled by default but something seems to be broken there. We will fix this shortly.
If anyone wants to submit a patch that uses a separate property to disable it for OTR mode (as opposed to the global image loading property) then please let us know.
Emil
···
On 04.08.14, 10:41, Gillian "Gus" Andrews wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I just want to note we at OpenITP are also concerned about images
loading over HTTP; encrypted modes should not send cleartext traffic.
Message: 6
Date: Tue, 29 Jul 2014 13:31:46 -0700
From: Yan Zhu <yan@eff.org>
To: users@jitsi.org
Subject: [jitsi-users] Bug report: turn off image autoloading during
OTR mode
Message-ID: <53D804B2.1030401@eff.org>
Content-Type: text/plain; charset="iso-8859-1"
Hey Jitsi-ers,
I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.
Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.
it has been fixes in build 5270. Now by default images are not loaded
and there is a link with (show preview) which can load an image on
demand.
You can also disable all replacements in Options/Preferences -> Chat,
or enable them.
If configuration was modified, the default behaviour may not be experienced.
Also we have added option when right clicking on an already loaded
image to show that configuration.
Regards
damencho
···
On Thu, Aug 7, 2014 at 3:00 PM, Emil Ivov <emcho@jitsi.org> wrote:
Hey all,
We actually had image loading disabled by default but something seems to be
broken there. We will fix this shortly.
If anyone wants to submit a patch that uses a separate property to disable
it for OTR mode (as opposed to the global image loading property) then
please let us know.
Emil
On 04.08.14, 10:41, Gillian "Gus" Andrews wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I just want to note we at OpenITP are also concerned about images
loading over HTTP; encrypted modes should not send cleartext traffic.
Message: 6
Date: Tue, 29 Jul 2014 13:31:46 -0700
From: Yan Zhu <yan@eff.org>
To: users@jitsi.org
Subject: [jitsi-users] Bug report: turn off image autoloading during
OTR mode
Message-ID: <53D804B2.1030401@eff.org>
Content-Type: text/plain; charset="iso-8859-1"
Hey Jitsi-ers,
I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.
Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.