[jitsi-users] question about server attack


#1

Bonjour, Guten Tag, Good day dear jitsi team,

I really appreciate this very useful and prism free software, especially because of it's european origin (France).
However, I'm concerned about the attack at jit.si (also I received the message about this issue via jitsi thanks for that).
May I please get some more information on this, because I'm planning to setup my own xmpp server (as I'm an experienced developer myself).
How could the attacker break into the system (so I know what exactly I have to protect myself from those)?
Why were those passwords stored in a way so you could easily decrypt them? Seriously, this ain't very comfortable at all (understatement) as I have to tell my friends to reset the passwords and check their other accounts.

regardless of this security incident, I keep spreading word about jitsi. Especially the android version seems to be very attractive to the average standard user out there, whenever I tell them about that :stuck_out_tongue:

ps: you might want to change the href value at https://jitsi.org/Main/JitSiCompromise20131126 as it's value is "users@jitsi.rog" :wink:

best regards,
Roman Dissertori


#2

Bonjour, Guten Tag, Good day dear jitsi team,

I really appreciate this very useful and prism free software, especially
because of it's european origin (France).
However, I'm concerned about the attack at jit.si (also I received the
message about this issue via jitsi thanks for that).
May I please get some more information on this, because I'm planning to
setup my own xmpp server (as I'm an experienced developer myself).
How could the attacker break into the system (so I know what exactly I
have to protect myself from those)?

This is still under investigation. At this point we believe it started with a compromised password but we are not sure how that happened. (The password was strong enough so a bruteforce is unlikely).

Why were those passwords stored in a way so you could easily decrypt
them? Seriously, this ain't very comfortable at all (understatement) as
I have to tell my friends to reset the passwords and check their other
accounts.

You can direct that question to the Openfire forums. We are currently looking at possible alternatives ourselves.

regardless of this security incident, I keep spreading word about jitsi.

Thanks. It is worth mentioning that Jitsi protects exactly against that kind of incidents.

Especially the android version seems to be very attractive to the
average standard user out there, whenever I tell them about that :stuck_out_tongue:

ps: you might want to change the href value at
https://jitsi.org/Main/JitSiCompromise20131126 as it's value is
"users@jitsi.rog" :wink:

Thanks! Fixed.

Emil

ยทยทยท

On 30.11.13, 07:18, Roman Dissertori wrote:

best regards,
Roman Dissertori

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org