[jitsi-users] Qualys SSL Labs Gives Jitsi Download Site an "F" Rating


#1

Qualys SSL Labs is a site that provides a tool for evaluating the
security of HTTPS websites.

I'm dismayed to find that the Jitsi download site, download.jitsi.org,
gets an "F" (failing) rating:

https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

Shouldn't the the security of the download site be a priority? It seems
that it has been woefully neglected.

I also note that the individual download pages each contain unsecure
elements:

http://www.sip-communicator.org/wiki/pub/sip-communicator/sc_logo16x16.png

http://www.sip-communicator.org/wiki/pub/sip-communicator/sc_logo16x16.png

And links to the Jitsi home page go to the HTTP rather than the HTTPS site.

Would it not be advisable to correct the deficiencies enumerated by SSL
Labs and also to enable HTTP Strict Transport Security for the domain
jitsi.org?

···

--
George W. Maschke
http://www.georgemaschke.net
Twitter: georgemaschke
PGP Public Key: 316A947C
Encrypted voice & text chat (XMPP via Jitsi): georgemaschke@jit.si


#2

Dear George,

···

--------------------------------------------
From: George Maschke <georgemaschke@posteo.de>
Sent: Fri, 12 Sep 2014 18:57:52 +0000
To: Jitsi Users
Subject: [jitsi-users] Qualys SSL Labs Gives Jitsi Download Site an "F" Rating

Qualys SSL Labs is a site that provides a tool for evaluating the
security of HTTPS websites.

I'm dismayed to find that the Jitsi download site, download.jitsi.org,
gets an "F" (failing) rating:

https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

It's so great to see others using Qualys to 'pressure' companies/projects to
have better SSL ratings! Bitcasa had a very weak rating as well and it's been
improved and recently...maybe because I wrote a twitter letter to bitcasa!

Let's see if we'll get a better SSL rating!

--
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si


#3

So what? it's a 16x16 logo!!!.

This kind of nitpicking irks me a lot. It's akin to someone who sells home
alarms doing an "audit' of a property and highlighting in their report that
the 3-inch vent holes lack security bars.

FC

···

On Fri, Sep 12, 2014 at 3:57 PM, George Maschke <georgemaschke@posteo.de> wrote:

I also note that the individual download pages each contain unsecure
elements:

http://www.sip-communicator.org/wiki/pub/sip-communicator/sc_logo16x16.png

http://www.sip-communicator.org/wiki/pub/sip-communicator/sc_logo16x16.png


#4

Unfortunately we hace limited control on the university machine that has
the downloads. We are hoping for something better but nothing is certain.

I don't necessarily agree that the other points you raise are a problem.

If anyone out there wants to pay for a server at, say OVH, and donate it to
us for downloads that would be more helpful than trying to "pressure" us
into something we want to do anyway.

--sent from my mobile

···

On 12 Sep 2014 9:25 PM, "Jungle Boogie" <jungleboogie0@gmail.com> wrote:

Dear George,
--------------------------------------------
From: George Maschke <georgemaschke@posteo.de>
Sent: Fri, 12 Sep 2014 18:57:52 +0000
To: Jitsi Users
Subject: [jitsi-users] Qualys SSL Labs Gives Jitsi Download Site an "F"
Rating
>
> Qualys SSL Labs is a site that provides a tool for evaluating the
> security of HTTPS websites.
>
> I'm dismayed to find that the Jitsi download site, download.jitsi.org,
> gets an "F" (failing) rating:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

It's so great to see others using Qualys to 'pressure' companies/projects
to
have better SSL ratings! Bitcasa had a very weak rating as well and it's
been
improved and recently...maybe because I wrote a twitter letter to bitcasa!

Let's see if we'll get a better SSL rating!

>

--
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

Fernando,

The existence of an unsecure element in an otherwise secure page is not
a trivial concern. It opens a hole in the TLS connection through which
an attacker might inject malicious code.

See Ivan Ristic's article, "HTTPS Mixed Content: Still the Easiest Way
to Break SSL":

https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl

So avoiding HTTPS mixed content is something that every website admin
should do, all the more so when that website distributes unsigned,
non-deterministic binaries of communications software, as does
download.jitsi.org.

With respect to Jitsi binaries being unsigned, this is an issue which I
think also needs addressing. Note that Tor Browser binaries are all
distributed along with the GnuPG signature of one of the Tor Project
members:

https://www.torproject.org/docs/verifying-signatures.html.en

At present, those who download Jitsi have no means of authenticating
that the binary they downloaded is identical to the file on the Jitsi
server. Shouldn't Jitsi binaries be cryptographically signed?

If this seems overly paranoid, recall that the jit.si servers were
compromised last year:

https://jitsi.org/Main/JitSiCompromise20131126

- George Maschke
georgemaschke@jit.si
Fernando Cassia wrote:

···

On Fri, Sep 12, 2014 at 3:57 PM, George Maschke <georgemaschke@posteo.de> > wrote:

I also note that the individual download pages each contain unsecure
elements:

http://www.sip-communicator.org/wiki/pub/sip-communicator/sc_logo16x16.png

http://www.sip-communicator.org/wiki/pub/sip-communicator/sc_logo16x16.png

So what? it's a 16x16 logo!!!.

This kind of nitpicking irks me a lot. It's akin to someone who sells home
alarms doing an "audit' of a property and highlighting in their report that
the 3-inch vent holes lack security bars.

FC

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#6

Dear Emil,

···

--------------------------------------------
From: Emil Ivov <emcho@jitsi.org>
Sent: Fri, 12 Sep 2014 22:26:18 +0200
To: Jitsi Users
Subject: Re: [jitsi-users] Qualys SSL Labs Gives Jitsi Download Site an "F" Rating

If anyone out there wants to pay for a server at, say OVH, and donate it to
us for downloads that would be more helpful than trying to "pressure" us
into something we want to do anyway.

Can you give us some traffic stats regarding the downloads? I'll donate money
to replace the SSL cert but if you don't have root access to
download.jitsi.org, it may not be possible to update the cert.

I will say that I like seeing HSTS enabled!

--sent from my mobile

Have a great weekend!

-j
--
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si


#7

Hi,

I'm in total agreement with George.

So the question appears to be one of resources - what is to be done?
Shall help with server space? Should we raise money?

What is the best way to help this specific part of improving Jitsi?

All the best,
Jacob


#8

I have just heard back from the University of Strasbourg. They are
working on providing new, better secured download infrastructure.

···

On Sat, Sep 13, 2014 at 11:10 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:

Hi,

I'm in total agreement with George.

So the question appears to be one of resources - what is to be done?
Shall help with server space? Should we raise money?

What is the best way to help this specific part of improving Jitsi?

All the best,
Jacob

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#9

Hey folks,

The University of Strasbourg have just upgraded the infrastructure
they graciously provide to us:

https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

We now have an A- rating.

Emil

···

On Sat, Sep 13, 2014 at 11:10 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:

Hi,

I'm in total agreement with George.

So the question appears to be one of resources - what is to be done?
Shall help with server space? Should we raise money?

What is the best way to help this specific part of improving Jitsi?

All the best,
Jacob

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#10

Dear Emil,

···

--------------------------------------------
From: Emil Ivov <emcho@jitsi.org>
Sent: Tue, 2 Dec 2014 18:12:36 +0100
To: Jitsi Users, Jacob Appelbaum <jacob@appelbaum.net>
Subject: Re: [jitsi-users] Qualys SSL Labs Gives Jitsi Download Site an "F" Rating
>

Hey folks,

The University of Strasbourg have just upgraded the infrastructure
they graciously provide to us:

https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

We now have an A- rating.

Please provide my sincerest gratitude of the improved rating to The University of Strasbourg.

Emil

j.b.

--
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si