Dear jit.si users,
We have discovered that the servers running the XMPP jit.si service have been compromised, including the Openfire user databases. We also discovered that Openfire stores password hashes in a way that makes it very straightforward to retrieve the original password from the hash (thanks to Ingo Bauersachs for investigating and getting to the bottom of this). This means that the password that you are using to log into jit.si could have been exposed to the attacker, so please RESET IT AS SOON AS POSSIBLE!
Here’s how you can do this: https://jitsi.org/passwd-rst
What does this mean exactly?
Calls on jit.si that were protected with ZRTP and chat sessions that were protected with OTR *are safe*. That’s the whole point of using end-to-end encryption and why we care so much about it in Jitsi.
The bad news is that:
* the attackers may know your passwords so please change it ASAP wherever you are using it
* the attackers may know the content of your roster
What did we do to address the situation?
In the short term we have just moved Openfire to a new location that hasn’t been compromised. You might have experienced connectivity problems as a result today.
In the longer term we would either be moving to another authentication backend for Openfire (e.g. LDAP) or moving to Tigase (we still need to confirm the Jingle Nodes situation there).
We’ll keep everyone posted on our mailing lists.
Questions are welcome at: email@example.com