[jitsi-users] Bug report: turn off image autoloading during, OTR mode

Gillian_Gus_Andrews · 2014-08-04 15:41:46 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I just want to note we at OpenITP are also concerned about images
loading over HTTP; encrypted modes should not send cleartext traffic.

Emil, can we ensure this bug gets addressed?

Gus

Message: 6
Date: Tue, 29 Jul 2014 13:31:46 -0700
From: Yan Zhu <yan@eff.org>
To: users@jitsi.org
Subject: [jitsi-users] Bug report: turn off image autoloading during
OTR mode
Message-ID: <53D804B2.1030401@eff.org>
Content-Type: text/plain; charset="iso-8859-1"

Hey Jitsi-ers,

I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.

Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.

Thanks,
Yan

-- Yan Zhu <yan@eff.org>, <yan@torproject.org> Staff Technologist

Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San
Francisco, CA 94109 +1 415 436 9333 x134

- --
Gillian "Gus" Andrews
Senior Program Associate, Secure User Practices
Open Internet Tools Project
openitp.org

···

On 7/29/14, 6:10 PM, users-request@jitsi.org wrote:

Emil_Ivov1 · 2014-08-07 12:00:18 UTC

Hey all,

We actually had image loading disabled by default but something seems to be broken there. We will fix this shortly.

If anyone wants to submit a patch that uses a separate property to disable it for OTR mode (as opposed to the global image loading property) then please let us know.

Emil

···

On 04.08.14, 10:41, Gillian "Gus" Andrews wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I just want to note we at OpenITP are also concerned about images
loading over HTTP; encrypted modes should not send cleartext traffic.

Emil, can we ensure this bug gets addressed?

Gus

On 7/29/14, 6:10 PM, users-request@jitsi.org wrote:

Message: 6
Date: Tue, 29 Jul 2014 13:31:46 -0700
From: Yan Zhu <yan@eff.org>
To: users@jitsi.org
Subject: [jitsi-users] Bug report: turn off image autoloading during
OTR mode
Message-ID: <53D804B2.1030401@eff.org>
Content-Type: text/plain; charset="iso-8859-1"

Hey Jitsi-ers,

I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.

Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.

Thanks,
Yan

-- Yan Zhu <yan@eff.org>, <yan@torproject.org> Staff Technologist

Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San
Francisco, CA 94109 +1 415 436 9333 x134

- --
Gillian "Gus" Andrews
Senior Program Associate, Secure User Practices
Open Internet Tools Project
openitp.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJT36m6AAoJEOrwrs2Zrn53V1oH/i76Idn5rCVnQpTx605V+GxS
thMvIR4aS9FkZskXNb5nrtqCMoiCug6tWuT0DbTVOr8ZBoX7k4/XH6QRomvoGvhg
Rll7c8ZbDVQMTxu2ZNUSC82ZhjX4p0K6MtzrIgQXkRiAobrue+nrvjlCCzRIp28p
D0P0UokehVM9G9LINyAbPWpE7L5ksM4S/a8fiLnFtMlOFf6YFJ/5/55T5cDUXqkD
xxOyKokQp+OS4opqACo+w9EfIQAERqzxvigGZ4aT64jehnRzLZdk5AgsdsUrl0Bp
LoMW7jjGOGn82QT0nlVxDVcQo1rzoCWXVkFeHdb7QTw4eSZsVIDn8GCK9s60158=
=cfQh
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

damencho · 2014-08-08 08:36:30 UTC

Hi,

it has been fixes in build 5270. Now by default images are not loaded
and there is a link with (show preview) which can load an image on
demand.
You can also disable all replacements in Options/Preferences -> Chat,
or enable them.
If configuration was modified, the default behaviour may not be experienced.
Also we have added option when right clicking on an already loaded
image to show that configuration.

Regards
damencho

···

On Thu, Aug 7, 2014 at 3:00 PM, Emil Ivov <emcho@jitsi.org> wrote:

Hey all,

We actually had image loading disabled by default but something seems to be
broken there. We will fix this shortly.

If anyone wants to submit a patch that uses a separate property to disable
it for OTR mode (as opposed to the global image loading property) then
please let us know.

Emil

On 04.08.14, 10:41, Gillian "Gus" Andrews wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I just want to note we at OpenITP are also concerned about images
loading over HTTP; encrypted modes should not send cleartext traffic.

Emil, can we ensure this bug gets addressed?

Gus

On 7/29/14, 6:10 PM, users-request@jitsi.org wrote:

Message: 6
Date: Tue, 29 Jul 2014 13:31:46 -0700
From: Yan Zhu <yan@eff.org>
To: users@jitsi.org
Subject: [jitsi-users] Bug report: turn off image autoloading during
OTR mode
Message-ID: <53D804B2.1030401@eff.org>
Content-Type: text/plain; charset="iso-8859-1"

Hey Jitsi-ers,

I noticed today that Jitsi auto-loads image URLs during OTR sessions,
including over clear HTTP. IMO, this shouldn't be the default behavior,
because it leaks content from a private conversation to (1) the server
hosting the image, and (2) local network attackers if the image is not
HTTPS.

Jitsi's UA string and other HTTP headers are fairly distinctive, so it's
potentially possible for third parties to fingerprint Jitsi users from
this leak.

Thanks,
Yan

-- Yan Zhu <yan@eff.org>, <yan@torproject.org> Staff Technologist

Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San
Francisco, CA 94109 +1 415 436 9333 x134

- --
Gillian "Gus" Andrews
Senior Program Associate, Secure User Practices
Open Internet Tools Project
openitp.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJT36m6AAoJEOrwrs2Zrn53V1oH/i76Idn5rCVnQpTx605V+GxS
thMvIR4aS9FkZskXNb5nrtqCMoiCug6tWuT0DbTVOr8ZBoX7k4/XH6QRomvoGvhg
Rll7c8ZbDVQMTxu2ZNUSC82ZhjX4p0K6MtzrIgQXkRiAobrue+nrvjlCCzRIp28p
D0P0UokehVM9G9LINyAbPWpE7L5ksM4S/a8fiLnFtMlOFf6YFJ/5/55T5cDUXqkD
xxOyKokQp+OS4opqACo+w9EfIQAERqzxvigGZ4aT64jehnRzLZdk5AgsdsUrl0Bp
LoMW7jjGOGn82QT0nlVxDVcQo1rzoCWXVkFeHdb7QTw4eSZsVIDn8GCK9s60158=
=cfQh
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users