There are problems with Iptel.
On iptel.org, the navigation on the right has four bullets but only
three text/link entries. The copyright on the lower left is from 2001
to 2007. The quick news section has a link to
http://www.sipsecurity.org/ which shows a blank page. The News links at
the top and (near the) bottom of the page go to a web page with "Page
not found". So far that's just sloppy and not seriously problematic,
but it already tells me Iptel may be careless.
I recently decided to give Jitsi another try. I once again ran into
lots of problems. Messages not getting through (even from Linux to
Linux with the latest stable), the program ignoring changes in
settings, not being able to transfer files, and so on. Anyway, to give
Jitsi another try, I requested a new password from Iptel. Below is the
e-mail they sent me. (In the meantime I've deleted my account with
Subject: your login information (new password)
Date: Fri, 07 Mar 2014 11:43:28 +0100
new password for your account has been created. Your password is:
We recommend change your password after you login.
-- This message is automatically generated by SerWeb.
I'm not a native speaker of English, but two of those sentences are
clearly not proper English. Then there is the - plain text! - password
they sent to me, which is just five characters long. Cracking a
password like that is a matter of seconds. I've literally never seen
anything like this before.
They are smart enough to recommend a password change, but there is no
link in their e-mail. Users are left to guess that the "login" needs to
happen on their website (as opposed to, for example, with/via Jitsi).
By default, iptel.org has users login and change their passwords over
http instead of https. Going to https in Firefox first gives a warning
about an invalid certificate. After that the website doesn't show up
properly because they hard coded lots of hrefs (including a <base
href="http://www.iptel.org/" />). The website does not supply ownership
information, the issuer is not trusted, and any action - like a submit
- sends users straight back to http. Even when single pages are
encrypted, data is being sent over an unencrypted connection.
Now, ask yourself: can you trust Iptel with usernames and passwords if
they are both sloppy and technically incompetent? I would say it is a
recipe for disaster. I've tried subscribing with their Services mailing
list to contact them, but so far I haven't received any kind of
reaction to my subscription request.
As a side note, Jitsi is not the only application that, in my opinion,
is still problematic as a replacement for Skype. I've also been looking
at, for example, Pidgin with XMPP. That one has no voice/video support
on Windows, which means I cannot ask my Windows buddies to move
away from Skype to the same software. Also, apparently it has no
encryption by default either, which means the long list of public XMPP
servers possibly includes domains run by people who just want to listen
in on conversations.
Maybe one day there will be an easy to setup (inc. no firewall
problems), easy to use, cross-platform, privacy-preserving, free
software application that can do VoIP, file transfers and video
conferencing. For now, back to Skype.