[jitsi-users] File transfer encrypted?


#1

Just a quick question, are file transfers in Jitsi encrypted with OTR
just like chat messages? Or are files send in the clear?


#2

As far as I know files are transfered unencrypted (well, not exactly
unencrypted as the connection from you to your provider, from your
provider to your partners provider and from your partners provider to
your partner are all encrypted but not end to end)

···

Am 21.09.2013 23:37, schrieb PrivacyDefence:

Just a quick question, are file transfers in Jitsi encrypted with
OTR just like chat messages? Or are files send in the clear?

_______________________________________________ users mailing list
users@jitsi.org Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

- --
Yannik V�lker


#3

Hello,

···

On 9/22/13 2:20 AM, Yannik V�lker wrote:

As far as I know files are transfered unencrypted (well, not exactly
unencrypted as the connection from you to your provider, from your
provider to your partners provider

Just a quick note: you have no way of knowing if this is the case
(unless you know your server requires s2s connections to use TLS, which
most servers don't). Notably google's servers do not support TLS for s2s
connections.

Regards,
Boris


#4

I currently use and recommend the XMPP provider at jit.si. I assume
that at least some encryption is used for file transfers, but it would
be nice if someone from Jitsi could confirm or deny. If files
transfers are sent without any sort of encryption I will need to
inform my users. If so, I also think it should be mentioned in the
documentation.

···

On 22-09-2013 03:34, Boris Grozev wrote:

Hello,

On 9/22/13 2:20 AM, Yannik V�lker wrote:

As far as I know files are transfered unencrypted (well, not
exactly unencrypted as the connection from you to your provider,
from your provider to your partners provider

Just a quick note: you have no way of knowing if this is the case
(unless you know your server requires s2s connections to use TLS,
which most servers don't). Notably google's servers do not support
TLS for s2s connections.

Regards, Boris

_______________________________________________ users mailing list
users@jitsi.org Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

Boris Grozev:

Hello,

As far as I know files are transfered unencrypted (well, not exactly
unencrypted as the connection from you to your provider, from your
provider to your partners provider

Just a quick note: you have no way of knowing if this is the case
(unless you know your server requires s2s connections to use TLS, which
most servers don't). Notably google's servers do not support TLS for s2s
connections.

I use a server that enforces tls to the other servers and therefore
doesn't accept google's talk servers. Virtually _every_ other XMPP
server out there supports TLS though, they say.

Still, it's just nice to have and OTR doesn't hurt.

···

On 9/22/13 2:20 AM, Yannik V�lker wrote:

Regards,
Boris

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#6

As a rule, I recommend encrypting files with a separate tool, then sending
the file and key via 2 different, unrelated, services. Usually I use 7-Zip
with full encryption, which includes encrypting the file names and metadata.

···

On Mon, Sep 23, 2013 at 3:23 PM, PrivacyDefence < webmaster@privacydefence.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I currently use and recommend the XMPP provider at jit.si. I assume
that at least some encryption is used for file transfers, but it would
be nice if someone from Jitsi could confirm or deny. If files
transfers are sent without any sort of encryption I will need to
inform my users. If so, I also think it should be mentioned in the
documentation.

On 22-09-2013 03:34, Boris Grozev wrote:
> Hello,
>
> On 9/22/13 2:20 AM, Yannik Völker wrote:
>> As far as I know files are transfered unencrypted (well, not
>> exactly unencrypted as the connection from you to your provider,
>> from your provider to your partners provider
>
> Just a quick note: you have no way of knowing if this is the case
> (unless you know your server requires s2s connections to use TLS,
> which most servers don't). Notably google's servers do not support
> TLS for s2s connections.
>
>
> Regards, Boris
>
> _______________________________________________ users mailing list
> users@jitsi.org Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSQJUaAAoJEKfAPQIYEF1ivbcP/3pSIZZ7eQ5WGvNTdfpc494n
KDyw6gDz+qntPFyrhc6YPP998vkJ9mLZVLjT0Om8DZGkfkgLmBS3+Dv/hrJVUjZC
16V4/sfBORl0VLO1zkBN4SqcQDNq5w9y3nLGQI8OGBbZq1vmmmC/hcsWUJZWbsmm
U8URsnS9O0ZtnlHx9QrL44ofMbOwNIqF+IqVdWDiqQRUR1xND6RFRqC9b47H0516
evI6PPkFpRlgTAlWQjNjMMEqx3F93T+nZOHyvvDk2nS7+BFjHDWTXSGR9d41Vyic
1GPHIw2k5I0pVdhVTY4ymyKk8nEeJxckRLt+aoejsiDk9x2VJczyR5ePfWKpCD2S
ndFfYanfKItDqjw0qLGXBzMurGbMtS4SSvpRm/lwp+ZaEyIaDtQ/6x+OP3JJJjGS
56xmlBFmxNhUJlWtMtZnRWCF78u50xY8NF5Da9qwOxNA5AzL6Bkoxn9HPZU/vUKz
GD8wS3BkJvIRsbItOJoZ+KQUoArtJdviOgS7n37qcieqISrsKy7vgd41ND4fI38y
DleWkDD/HnyBaol9amrir5irIy+leLP6BvqfEEQ1k8qt522Upj5YWz9OUrt1hqi0
R1+uwHyKFv4x19rqlbdmr9kUNBxjCvRuV6kYReJXbEI/pHGUuIUS2rVsxv79IaZC
BP55lDkuVwuoyug7JbS2
=dRbM
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#7

That makes sense. But it would still be nice to know how Jitsi
actually works.

···

On 24-09-2013 00:28, Ron Wilson wrote:

As a rule, I recommend encrypting files with a separate tool, then
sending the file and key via 2 different, unrelated, services.
Usually I use 7-Zip with full encryption, which includes encrypting
the file names and metadata.

On Mon, Sep 23, 2013 at 3:23 PM, PrivacyDefence < > webmaster@privacydefence.org> wrote:

I currently use and recommend the XMPP provider at jit.si. I
assume that at least some encryption is used for file transfers,
but it would be nice if someone from Jitsi could confirm or deny.
If files transfers are sent without any sort of encryption I will
need to inform my users. If so, I also think it should be mentioned
in the documentation.

On 22-09-2013 03:34, Boris Grozev wrote:

Hello,

On 9/22/13 2:20 AM, Yannik V�lker wrote:

As far as I know files are transfered unencrypted (well,
not exactly unencrypted as the connection from you to your
provider, from your provider to your partners provider

Just a quick note: you have no way of knowing if this is the
case (unless you know your server requires s2s connections to
use TLS, which most servers don't). Notably google's servers
do not support TLS for s2s connections.

Regards, Boris

_______________________________________________ users mailing
list users@jitsi.org Unsubscribe instructions and other list
options: http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________ users mailing
list users@jitsi.org Unsubscribe instructions and other list
options: http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________ users mailing list
users@jitsi.org Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#8

We do allow non-encrypted connections from jit.si to other servers.

jit.si to jit.si file transfer is encrypted client to server but not
end-to-end. This means, that, if we wanted to, would have the option of
intersepting it. Of course we don't but you have to take our word for it,
which is why we'd like to implement e2e encryption there at some point.

Emil

--sent from my mobile

···

On 23 Sep 2013 21:24, "PrivacyDefence" <webmaster@privacydefence.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I currently use and recommend the XMPP provider at jit.si. I assume
that at least some encryption is used for file transfers, but it would
be nice if someone from Jitsi could confirm or deny. If files
transfers are sent without any sort of encryption I will need to
inform my users. If so, I also think it should be mentioned in the
documentation.

On 22-09-2013 03:34, Boris Grozev wrote:
> Hello,
>
> On 9/22/13 2:20 AM, Yannik Völker wrote:
>> As far as I know files are transfered unencrypted (well, not
>> exactly unencrypted as the connection from you to your provider,
>> from your provider to your partners provider
>
> Just a quick note: you have no way of knowing if this is the case
> (unless you know your server requires s2s connections to use TLS,
> which most servers don't). Notably google's servers do not support
> TLS for s2s connections.
>
>
> Regards, Boris
>
> _______________________________________________ users mailing list
> users@jitsi.org Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSQJUaAAoJEKfAPQIYEF1ivbcP/3pSIZZ7eQ5WGvNTdfpc494n
KDyw6gDz+qntPFyrhc6YPP998vkJ9mLZVLjT0Om8DZGkfkgLmBS3+Dv/hrJVUjZC
16V4/sfBORl0VLO1zkBN4SqcQDNq5w9y3nLGQI8OGBbZq1vmmmC/hcsWUJZWbsmm
U8URsnS9O0ZtnlHx9QrL44ofMbOwNIqF+IqVdWDiqQRUR1xND6RFRqC9b47H0516
evI6PPkFpRlgTAlWQjNjMMEqx3F93T+nZOHyvvDk2nS7+BFjHDWTXSGR9d41Vyic
1GPHIw2k5I0pVdhVTY4ymyKk8nEeJxckRLt+aoejsiDk9x2VJczyR5ePfWKpCD2S
ndFfYanfKItDqjw0qLGXBzMurGbMtS4SSvpRm/lwp+ZaEyIaDtQ/6x+OP3JJJjGS
56xmlBFmxNhUJlWtMtZnRWCF78u50xY8NF5Da9qwOxNA5AzL6Bkoxn9HPZU/vUKz
GD8wS3BkJvIRsbItOJoZ+KQUoArtJdviOgS7n37qcieqISrsKy7vgd41ND4fI38y
DleWkDD/HnyBaol9amrir5irIy+leLP6BvqfEEQ1k8qt522Upj5YWz9OUrt1hqi0
R1+uwHyKFv4x19rqlbdmr9kUNBxjCvRuV6kYReJXbEI/pHGUuIUS2rVsxv79IaZC
BP55lDkuVwuoyug7JbS2
=dRbM
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#9

I use a server that enforces tls to the other servers and therefore
doesn't accept google's talk servers. Virtually _every_ other XMPP
server out there supports TLS though, they say.

Sounds interesting. Is this a public server?


#10

If you search the list archives, I believe there is a discussion about
this already that says file transfers and voice/video calls with more
than two people are not encrypted.

Anthony

···

On 09/24/2013 11:37 AM, PrivacyDefence wrote:

That makes sense. But it would still be nice to know how Jitsi
actually works.

--
Anthony Papillion
XMPP/Jabber: cypherpunk@patts.us
OTR Fingerprint: 4F5CE6C07F5DCE4A2569B72606E5C00A21DA24FA
SIP: 17772471988@callcentric.com
PGP Key: 0xE1608145


#11

We do allow non-encrypted connections from jit.si <http://jit.si>
to other servers.

jit.si <http://jit.si> to jit.si <http://jit.si> file transfer is
encrypted client to server but not end-to-end. This means, that, if
we wanted to, would have the option of intersepting it. Of course
we don't but you have to take our word for it, which is why we'd
like to implement e2e encryption there at some point.

OTR Data (in otrV3) is functional and has been implemented in The
Guardian Project's ChatSecure XMPP+OTR Android client (and I think
CryptoCat is also investigating adding OTR Data); it'd actually be
pretty awesome if tools like Jitsi also began supporting peer-to-peer
OTR data/file transfers!

Jon

···

On Tuesday, September 24, 2013 03:42 PM, Emil Ivov wrote:

Emil

--sent from my mobile

On 23 Sep 2013 21:24, "PrivacyDefence" > <webmaster@privacydefence.org > <mailto:webmaster@privacydefence.org>> wrote:

I currently use and recommend the XMPP provider at jit.si
<http://jit.si>. I assume that at least some encryption is used for
file transfers, but it would be nice if someone from Jitsi could
confirm or deny. If files transfers are sent without any sort of
encryption I will need to inform my users. If so, I also think it
should be mentioned in the documentation.

On 22-09-2013 03:34, Boris Grozev wrote:

Hello,

On 9/22/13 2:20 AM, Yannik V�lker wrote:

As far as I know files are transfered unencrypted (well, not
exactly unencrypted as the connection from you to your
provider, from your provider to your partners provider

Just a quick note: you have no way of knowing if this is the
case (unless you know your server requires s2s connections to use
TLS, which most servers don't). Notably google's servers do not
support TLS for s2s connections.

Regards, Boris

_______________________________________________ users mailing
list users@jitsi.org <mailto:users@jitsi.org> Unsubscribe
instructions

and other list options:

http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________ users mailing list
users@jitsi.org <mailto:users@jitsi.org> Unsubscribe instructions
and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________ users mailing list
users@jitsi.org Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#12

That would be one way of doing it indeed. ZRTP and Pseudo TCP could be
another.

Emil

--sent from my mobile

···

On 24 Sep 2013 23:09, "Jon Camfield" <jon@openinternetproject.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday, September 24, 2013 03:42 PM, Emil Ivov wrote:
> We do allow non-encrypted connections from jit.si <http://jit.si>
> to other servers.
>
> jit.si <http://jit.si> to jit.si <http://jit.si> file transfer is
> encrypted client to server but not end-to-end. This means, that, if
> we wanted to, would have the option of intersepting it. Of course
> we don't but you have to take our word for it, which is why we'd
> like to implement e2e encryption there at some point.

OTR Data (in otrV3) is functional and has been implemented in The
Guardian Project's ChatSecure XMPP+OTR Android client (and I think
CryptoCat is also investigating adding OTR Data); it'd actually be
pretty awesome if tools like Jitsi also began supporting peer-to-peer
OTR data/file transfers!

Jon

>
> Emil
>
> --sent from my mobile
>
> On 23 Sep 2013 21:24, "PrivacyDefence" > > <webmaster@privacydefence.org > > <mailto:webmaster@privacydefence.org>> wrote:
>
> I currently use and recommend the XMPP provider at jit.si
> <http://jit.si>. I assume that at least some encryption is used for
> file transfers, but it would be nice if someone from Jitsi could
> confirm or deny. If files transfers are sent without any sort of
> encryption I will need to inform my users. If so, I also think it
> should be mentioned in the documentation.
>
>
>
>
>
> On 22-09-2013 03:34, Boris Grozev wrote:
>> Hello,
>
>> On 9/22/13 2:20 AM, Yannik Völker wrote:
>>> As far as I know files are transfered unencrypted (well, not
>>> exactly unencrypted as the connection from you to your
>>> provider, from your provider to your partners provider
>
>> Just a quick note: you have no way of knowing if this is the
>> case (unless you know your server requires s2s connections to use
>> TLS, which most servers don't). Notably google's servers do not
>> support TLS for s2s connections.
>
>
>> Regards, Boris
>
>> _______________________________________________ users mailing
>> list users@jitsi.org <mailto:users@jitsi.org> Unsubscribe
>> instructions
> and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>
>
> _______________________________________________ users mailing list
> users@jitsi.org <mailto:users@jitsi.org> Unsubscribe instructions
> and other list options:
> http://lists.jitsi.org/mailman/listinfo/users
>
>
>
> _______________________________________________ users mailing list
> users@jitsi.org Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSQf9QAAoJEKmYlZ/5Jr+LlgsQAKXY60aJE3uwIL7osGmgXXfa
aHFYRe7+qPWycbCN95ZzsRVyGNL4C1xGCi80ZcIuj1YCPwx2+xK+GnwDI2xFpc0O
3n8jasIAStuYBe+3yNPXF1KrM7dolhcE6azjXLBij6s+IvXQUfcJBEoQYsQjYaqH
CSZz30HvkBNERlaxNbMBGqjGtiudWfCmKnnIiB/bjbLMj6O7Ncd4YEpKhqB4sgVU
xOZtVOBZY3ZLlWefOTBhGD1LnPpVeshdpomsV80R3b/6Nq9aXQPwHvr4AJi7DXvg
OGM/syqnqvqVg8LpYp/geXjOeK2YgyscizIcTvOLo8i7GMc0hV2d/eaWSZXeZH/3
727ceZWMesPK5OAQ3V/wUFpgqdaOvNBP61cH2dcM/NEQQElgUfXsm542qRcGVWYi
hngQa/NUPugKss0ZFhEKq5OATQj0/26lf1N8ePvQxHZbd3+vHB5fIu5ugPiblyat
RTCC31mp2eDcu/euG9S/WnH5feg4Kueh+nh0jt5cyRUoKdBeufzu9oeSJ6C+mzWA
NVKQrAM9HzznRz8EJ/DJpkBc+AbQ0NNFS9fv1mTo5QOSkKaEFxFTdUqF1OpkI9Vq
k4FD/+/OJh0KbVdqYHTlsHTm5ouxqf2+MT/1Qn/KC7Nbw7CcsddyPh0KnWJfE39A
IAqNtToyIiuaeOkefpVe
=mOEA
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#13

Hello,

···

On 9/24/13 8:40 PM, Anthony Papillion wrote:

On 09/24/2013 11:37 AM, PrivacyDefence wrote:

That makes sense. But it would still be nice to know how Jitsi
actually works.

If you search the list archives, I believe there is a discussion about
this already that says file transfers and voice/video calls with more
than two people are not encrypted.

This only applies to audio/video conferences using a videobridge.
Conferences started with 'create a conference call' can use ZRTP.

Regards,
Boris