[jitsi-users] Security in conference call


#1

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan


#2

I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

kind regards, MS

···

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Hey Joseph,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure?

Yes it is. Every participant only has one media connection: the one with
the organiser. If all connections appear as secure on the focus then you
are fine and the rest is a gui rendering bug.

What needs to be done to resolve this
issue?

Could you please file it?

Emil

···

On 17.05.13, 23:08, Joseph Santolan wrote:

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRlo41AAoJEPceuRCszQkRPs0H/jVL+QcmpdhXPtPE94rnnPS8
QFElTpC/VDTUEV2jdUmgwl8T+bn0UtsaxgCtK9wmLusMxBTFtuSNCy8CKBjl2u1L
V23rqHjWqbX4POC04q0cqR5xuL+n3cxq80ef6Oub80nzv2ziwiJRdgRM+r7S4JGi
9KSa1xofdh6SMurEHA+a+mhpe1ed5yYmB65Pa/LshKBIrSfo+mBJZWBHe+HFJWUj
3Krq9KTCC9DEnt1QKbeMb1qSkCpAEmkF581j+1jX+sgjrVcgXwMKmUDt69N91+aO
/b6BsGbIFuJkwDMYu6m1TrnMcdrpNy0MgHLPz8IQ0u+YNa/lUeEbxiUVlLlob9g=
=gp+S
-----END PGP SIGNATURE-----

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
.

--
https://jitsi.org


#4

Hi,

This is exactly what I got stuck on investigating when I started to try
out Jitsi some time ago.

This is almost a blocker for me to implement Jitsi in my organisation.

I wrote this to the mailinglist but don't think I got much response at
the time:

···

---
On the first page of the attached pdf the audio call window from the
three attendees is shown. For the host of the conference the zrtp
indicator shows as green and says "Call secured". However in the two
attendees clients only the connection with the host is indicated as
secured and the other says "Call not secure".

The second page of the attached pdf shows an video conference where the
host shares the screen. The situation seems to be the same here.

What does this mean for the security of the conference?
---

My original e-mail can be read here:
http://lists.jitsi.org/pipermail/dev/2012-December/001107.html

And with an PDF with images showing the situation (Old Jitsi version
from 2012 though):
http://lists.jitsi.org/pipermail/dev/attachments/20121218/9436dd92/attachment.pdf

Best regards,
Markus

On 2013-05-18 10:14, Mr.Smith wrote:

I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#5

Hey MS,

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

There is no connection between B and C, so if A-B and A-C show up as
green, everything is fine.

Emil

···

On 18.05.13, 11:14, Mr.Smith wrote:

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.3.0 (Build 8741)
Charset: ISO-8859-1

wsBVAwUBUZc4U3IFU87htrbeAQiQuAgAjMErpT20rlwuaTDOCZVPndjAevPiEhXl
hjONyLDpT2Rez3hQMBlnBw6b9KVfmvC8XwvQjZ2XO7NklOBqyg/ynJXDzlbe8QdL
KZy1IMILwXPOKTyFSPvX+LQqOffrXrCr6l7rQ2aCSa9ooB8Em58c1lMTtcsQ5rF5
pbbbPARLPtdehLrcasw9ljhWqbRAN+PnOgXlBlEBcJZ0LG9Z53JlhyjxzFEqgAjy
uOBlqrsrL8L+qm7RD6f85W/am4msPwWoqsqMkz5eC8J01rIHtptrzQp8XSxWShHT
pftz1QUQxvvXiIMn7wFTS8uF+6G4z5+af9w7PJfxt1kkAWunuMRefg==
=mNtP
-----END PGP SIGNATURE-----

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.

--
https://jitsi.org


#6

Thanks, Emil. I will file a report on this.

Quick question: isn't there an XMPP coin exchanged between B and C? Is
it possible that this is the connection being deemed insecure and not
simply an artifact of the GUI?

If my understanding is completely off-base on this, just say so.

Best regards,

Joseph

···

On 5/18/2013 3:40 AM, Emil Ivov wrote:

Hey MS,

On 18.05.13, 11:14, Mr.Smith wrote:
I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

There is no connection between B and C, so if A-B and A-C show up as
green, everything is fine.

Emil

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.


#7

Hi Emil,
thx for your reply!

please excuse my ignorance (and this will probably be a stupid question) :

so B and C hear/see each other only over/via A but not between B-C?

(so probably the red padlock between B-C is therefore a bug (?) and
should be fixed, otherwise it irritates users a lot...)

kind regards, MS

PGP.sig (488 Bytes)

···

On 5/18/13 12:40 PM, Emil Ivov wrote:

Hey MS,

On 18.05.13, 11:14, Mr.Smith wrote:
I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

> There is no connection between B and C, so if A-B and A-C show up as
> green, everything is fine.

> Emil

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:
>>>> Old Signed by an unknown key
>>>
>>> Greetings. I am attempting to switch my organization of several
>>> hundred members from Skype to Jitsi for security reasons.
>>>
>>> I am the leader of a test group working on investigating the
>>> feasibility of this transfer.
>>>
>>> We are currently working over jit.si XMPP server, although we intend
>>> to set up our own server if we feel that we can implement the switch
>>> as an organization.
>>>
>>> I am impressed with the quality and the ease of the ZRTP encryption in
>>> one-on-one calls. However, when I try to establish a secure conference
>>> call with three or more participants I am uncertain of the security
>>> and encryption of the call.
>>>
>>> The host or initiator of the call shows each connection as secure,
>>> with a green ZRTP padlock. The other members of the call however only
>>> list their connection to the host as secured. They display a red,
>>> unlocked ZRTP padlock for their connection with the other participants
>>> in the call.
>>>
>>> Note that this is not over videobridge, but conference call.
>>>
>>> Is the conference call secure? What needs to be done to resolve this
>>> issue?
>>>
>>> I have a host of other questions, but this is the most pressing and
>>> fundamental concern.
>>>
>>> Thank you for your help.
>>>
>>> Sincerely,
>>>
>>> Joseph Santolan
>>>
>>> * Unknown Key
>>> * 0xACCD0911(L)
>>>
>>> _______________________________________________
>>> users mailing list
>>> users@jitsi.org
>>> Unsubscribe instructions and other list options:
>>> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.


#8

Hey Markus,

I am sorry we missed your mail.

As I already replied in this thread: this is just a GUI confusion. In a
conference call there are only connections between the focus and each
other participant. The red padlocks are a visualisation bug and we'll
fix it soon.

Cheers,
Emil

···

On 18.05.13, 11:50, Markus Kilås wrote:

Hi,

This is exactly what I got stuck on investigating when I started to try
out Jitsi some time ago.

This is almost a blocker for me to implement Jitsi in my organisation.

I wrote this to the mailinglist but don't think I got much response at
the time:
---
On the first page of the attached pdf the audio call window from the
three attendees is shown. For the host of the conference the zrtp
indicator shows as green and says "Call secured". However in the two
attendees clients only the connection with the host is indicated as
secured and the other says "Call not secure".

The second page of the attached pdf shows an video conference where the
host shares the screen. The situation seems to be the same here.

What does this mean for the security of the conference?
---

My original e-mail can be read here:
http://lists.jitsi.org/pipermail/dev/2012-December/001107.html

And with an PDF with images showing the situation (Old Jitsi version
from 2012 though):
http://lists.jitsi.org/pipermail/dev/attachments/20121218/9436dd92/attachment.pdf

Best regards,
Markus

On 2013-05-18 10:14, Mr.Smith wrote:

I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.

--
https://jitsi.org


#9

Thanks, Emil. I will file a report on this.

Quick question: isn't there an XMPP coin exchanged between B and C? Is
it possible that this is the connection being deemed insecure and not
simply an artifact of the GUI?

No, the signaling part is not involved in this indication (as long as it
concerns ZRTP).

If my understanding is completely off-base on this, just say so.

Best regards,
Joseph

Ingo


#10

Hey Emil,

Ok, great no problem.

I think it is important that it is very clear for the user if and how
the connections are secured. Fixing the icon/message might be enough in
this case.

In a future version it would be very cool if it was possible to somehow
get some visual representation of all the different connections Jitsi is
establishing between the client and the server for signalling and
messaging and for media streams between clients. Maybe not so small task
to implement though...

Best regards,
Markus

···

On 2013-05-18 13:10, Emil Ivov wrote:

Hey Markus,

I am sorry we missed your mail.

As I already replied in this thread: this is just a GUI confusion. In a
conference call there are only connections between the focus and each
other participant. The red padlocks are a visualisation bug and we'll
fix it soon.

Cheers,
Emil

On 18.05.13, 11:50, Markus Kil�s wrote:

Hi,

This is exactly what I got stuck on investigating when I started to try
out Jitsi some time ago.

This is almost a blocker for me to implement Jitsi in my organisation.

I wrote this to the mailinglist but don't think I got much response at
the time:
---
On the first page of the attached pdf the audio call window from the
three attendees is shown. For the host of the conference the zrtp
indicator shows as green and says "Call secured". However in the two
attendees clients only the connection with the host is indicated as
secured and the other says "Call not secure".

The second page of the attached pdf shows an video conference where the
host shares the screen. The situation seems to be the same here.

What does this mean for the security of the conference?
---

My original e-mail can be read here:
http://lists.jitsi.org/pipermail/dev/2012-December/001107.html

And with an PDF with images showing the situation (Old Jitsi version
from 2012 though):
http://lists.jitsi.org/pipermail/dev/attachments/20121218/9436dd92/attachment.pdf

Best regards,
Markus

On 2013-05-18 10:14, Mr.Smith wrote:

I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.


#11

Hey Emil,

Ok, great no problem.

I think it is important that it is very clear for the user if and how
the connections are secured. Fixing the icon/message might be enough in
this case.

Yes, we will be removing the red padlocks for non-peer participants. The
organiser will be able to see everyone's security status. Participants
will only be able to see the status of their only connection with the
organiser.

In a future version it would be very cool if it was possible to somehow
get some visual representation of all the different connections Jitsi is
establishing between the client and the server for signalling and
messaging and for media streams between clients. Maybe not so small task
to implement though...

That information is actually already available in the call info window.

Cheers,
Emil

···

On 18.05.13, 14:37, Markus Kilås wrote:

Best regards,
Markus

On 2013-05-18 13:10, Emil Ivov wrote:

Hey Markus,

I am sorry we missed your mail.

As I already replied in this thread: this is just a GUI confusion. In a
conference call there are only connections between the focus and each
other participant. The red padlocks are a visualisation bug and we'll
fix it soon.

Cheers,
Emil

On 18.05.13, 11:50, Markus Kilås wrote:

Hi,

This is exactly what I got stuck on investigating when I started to try
out Jitsi some time ago.

This is almost a blocker for me to implement Jitsi in my organisation.

I wrote this to the mailinglist but don't think I got much response at
the time:
---
On the first page of the attached pdf the audio call window from the
three attendees is shown. For the host of the conference the zrtp
indicator shows as green and says "Call secured". However in the two
attendees clients only the connection with the host is indicated as
secured and the other says "Call not secure".

The second page of the attached pdf shows an video conference where the
host shares the screen. The situation seems to be the same here.

What does this mean for the security of the conference?
---

My original e-mail can be read here:
http://lists.jitsi.org/pipermail/dev/2012-December/001107.html

And with an PDF with images showing the situation (Old Jitsi version
from 2012 though):
http://lists.jitsi.org/pipermail/dev/attachments/20121218/9436dd92/attachment.pdf

Best regards,
Markus

On 2013-05-18 10:14, Mr.Smith wrote:

I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.

--
https://jitsi.org


#12

Is it possible that the situation is similar as at chatrooms?
The encryption lock is not closed at every chat member. Someone
has locked lock and can modify it, someone just have it grayed
out, and can not change.

···

On Mon May 27 14:31:27 2013, hristo wrote:

I have just committed the following change:

The creator of the call can see the security status of all other
participants, but the other participants can see only the zrtp lock icon
(security status label) for the creator of the call.

For example:
If A calls B and C, in the conference call window of A zrtp lock icons are
displayed for B and C, in the conference windows of B and C zrtp lock icons
are displayed only for A (which is the creator of the conference call).

The change will be available in the next nightly build.

--
  Regards,
        Zsiga


#13

Hey Emil,

Ok, great no problem.

I think it is important that it is very clear for the user if and how
the connections are secured. Fixing the icon/message might be enough in
this case.

Yes, we will be removing the red padlocks for non-peer participants. The
organiser will be able to see everyone's security status. Participants
will only be able to see the status of their only connection with the
organiser.

We once had the padlocks of the participants simply following the status of the organizer. Don't you think we should get that back working instead of showing no padlock at all?

In a future version it would be very cool if it was possible to somehow
get some visual representation of all the different connections Jitsi is
establishing between the client and the server for signalling and
messaging and for media streams between clients. Maybe not so small task
to implement though...

That information is actually already available in the call info window.

Cheers,
Emil

Ingo

···

Le 18.05.2013 à 13:50, "Emil Ivov" <emcho@jitsi.org> a écrit :

On 18.05.13, 14:37, Markus Kilås wrote:

Best regards,
Markus

On 2013-05-18 13:10, Emil Ivov wrote:

Hey Markus,

I am sorry we missed your mail.

As I already replied in this thread: this is just a GUI confusion. In a
conference call there are only connections between the focus and each
other participant. The red padlocks are a visualisation bug and we'll
fix it soon.

Cheers,
Emil

On 18.05.13, 11:50, Markus Kilås wrote:

Hi,

This is exactly what I got stuck on investigating when I started to try
out Jitsi some time ago.

This is almost a blocker for me to implement Jitsi in my organisation.

I wrote this to the mailinglist but don't think I got much response at
the time:
---
On the first page of the attached pdf the audio call window from the
three attendees is shown. For the host of the conference the zrtp
indicator shows as green and says "Call secured". However in the two
attendees clients only the connection with the host is indicated as
secured and the other says "Call not secure".

The second page of the attached pdf shows an video conference where the
host shares the screen. The situation seems to be the same here.

What does this mean for the security of the conference?
---

My original e-mail can be read here:
http://lists.jitsi.org/pipermail/dev/2012-December/001107.html

And with an PDF with images showing the situation (Old Jitsi version
from 2012 though):
http://lists.jitsi.org/pipermail/dev/attachments/20121218/9436dd92/attachment.pdf

Best regards,
Markus

On 2013-05-18 10:14, Mr.Smith wrote:

I have observed very same in conference calls as well (not in
videobridge, where zRTP is not implemented (yet) :
(A) who starts conference (e.g in total 3 participants with B and C)
will see green padlock only between A-B and A-C.
However between B-C the padlock is red

Q: is the connection between B-C secure?

kind regards, MS

On 5/17/13 10:08 PM, Joseph Santolan wrote:

* PGP Signed by an unknown key

Greetings. I am attempting to switch my organization of several
hundred members from Skype to Jitsi for security reasons.

I am the leader of a test group working on investigating the
feasibility of this transfer.

We are currently working over jit.si XMPP server, although we intend
to set up our own server if we feel that we can implement the switch
as an organization.

I am impressed with the quality and the ease of the ZRTP encryption in
one-on-one calls. However, when I try to establish a secure conference
call with three or more participants I am uncertain of the security
and encryption of the call.

The host or initiator of the call shows each connection as secure,
with a green ZRTP padlock. The other members of the call however only
list their connection to the host as secured. They display a red,
unlocked ZRTP padlock for their connection with the other participants
in the call.

Note that this is not over videobridge, but conference call.

Is the conference call secure? What needs to be done to resolve this
issue?

I have a host of other questions, but this is the most pressing and
fundamental concern.

Thank you for your help.

Sincerely,

Joseph Santolan

* Unknown Key
* 0xACCD0911(L)

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
.

--
https://jitsi.org

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#14

My thinking is that they don't carry extra information. We show
participants as children of the focus. We also show the status of the
focus. That's all we know.

--sent from my mobile

···

On May 18, 2013 6:39 PM, "Ingo Bauersachs" <ingo@sip-communicator.org> wrote:

Le 18.05.2013 à 13:50, "Emil Ivov" <emcho@jitsi.org> a écrit :

>
>
> On 18.05.13, 14:37, Markus Kilås wrote:
>> Hey Emil,
>>
>> Ok, great no problem.
>>
>> I think it is important that it is very clear for the user if and how
>> the connections are secured. Fixing the icon/message might be enough in
>> this case.
>
> Yes, we will be removing the red padlocks for non-peer participants. The
> organiser will be able to see everyone's security status. Participants
> will only be able to see the status of their only connection with the
> organiser.

We once had the padlocks of the participants simply following the status
of the organizer. Don't you think we should get that back working instead
of showing no padlock at all?

>> In a future version it would be very cool if it was possible to somehow
>> get some visual representation of all the different connections Jitsi is
>> establishing between the client and the server for signalling and
>> messaging and for media streams between clients. Maybe not so small task
>> to implement though...
>
> That information is actually already available in the call info window.
>
> Cheers,
> Emil
>

Ingo

>
>>
>> Best regards,
>> Markus
>>
>>
>> On 2013-05-18 13:10, Emil Ivov wrote:
>>> Hey Markus,
>>>
>>> I am sorry we missed your mail.
>>>
>>> As I already replied in this thread: this is just a GUI confusion. In a
>>> conference call there are only connections between the focus and each
>>> other participant. The red padlocks are a visualisation bug and we'll
>>> fix it soon.
>>>
>>> Cheers,
>>> Emil
>>>
>>> On 18.05.13, 11:50, Markus Kilås wrote:
>>>> Hi,
>>>>
>>>> This is exactly what I got stuck on investigating when I started to
try
>>>> out Jitsi some time ago.
>>>>
>>>> This is almost a blocker for me to implement Jitsi in my organisation.
>>>>
>>>> I wrote this to the mailinglist but don't think I got much response at
>>>> the time:
>>>> ---
>>>> On the first page of the attached pdf the audio call window from the
>>>> three attendees is shown. For the host of the conference the zrtp
>>>> indicator shows as green and says "Call secured". However in the two
>>>> attendees clients only the connection with the host is indicated as
>>>> secured and the other says "Call not secure".
>>>>
>>>> The second page of the attached pdf shows an video conference where
the
>>>> host shares the screen. The situation seems to be the same here.
>>>>
>>>> What does this mean for the security of the conference?
>>>> ---
>>>>
>>>> My original e-mail can be read here:
>>>> http://lists.jitsi.org/pipermail/dev/2012-December/001107.html
>>>>
>>>> And with an PDF with images showing the situation (Old Jitsi version
>>>> from 2012 though):
>>>>
http://lists.jitsi.org/pipermail/dev/attachments/20121218/9436dd92/attachment.pdf
>>>>
>>>>
>>>> Best regards,
>>>> Markus
>>>>
>>>>
>>>> On 2013-05-18 10:14, Mr.Smith wrote:
>>>>> I have observed very same in conference calls as well (not in
>>>>> videobridge, where zRTP is not implemented (yet) :
>>>>> (A) who starts conference (e.g in total 3 participants with B and C)
>>>>> will see green padlock only between A-B and A-C.
>>>>> However between B-C the padlock is red
>>>>>
>>>>> Q: is the connection between B-C secure?
>>>>>
>>>>> kind regards, MS
>>>>>
>>>>>
>>>>> On 5/17/13 10:08 PM, Joseph Santolan wrote:
>>>>>> * PGP Signed by an unknown key
>>>>>
>>>>>> Greetings. I am attempting to switch my organization of several
>>>>>> hundred members from Skype to Jitsi for security reasons.
>>>>>
>>>>>> I am the leader of a test group working on investigating the
>>>>>> feasibility of this transfer.
>>>>>
>>>>>> We are currently working over jit.si XMPP server, although we
intend
>>>>>> to set up our own server if we feel that we can implement the switch
>>>>>> as an organization.
>>>>>
>>>>>> I am impressed with the quality and the ease of the ZRTP encryption
in
>>>>>> one-on-one calls. However, when I try to establish a secure
conference
>>>>>> call with three or more participants I am uncertain of the security
>>>>>> and encryption of the call.
>>>>>
>>>>>> The host or initiator of the call shows each connection as secure,
>>>>>> with a green ZRTP padlock. The other members of the call however
only
>>>>>> list their connection to the host as secured. They display a red,
>>>>>> unlocked ZRTP padlock for their connection with the other
participants
>>>>>> in the call.
>>>>>
>>>>>> Note that this is not over videobridge, but conference call.
>>>>>
>>>>>> Is the conference call secure? What needs to be done to resolve this
>>>>>> issue?
>>>>>
>>>>>> I have a host of other questions, but this is the most pressing and
>>>>>> fundamental concern.
>>>>>
>>>>>> Thank you for your help.
>>>>>
>>>>>> Sincerely,
>>>>>
>>>>>> Joseph Santolan
>>>>>
>>>>>> * Unknown Key
>>>>>> * 0xACCD0911(L)
>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> users@jitsi.org
>>>>>> Unsubscribe instructions and other list options:
>>>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> dev mailing list
>>>>> dev@jitsi.org
>>>>> Unsubscribe instructions and other list options:
>>>>> http://lists.jitsi.org/mailman/listinfo/dev
>>>>
>>>>
>>>> _______________________________________________
>>>> dev mailing list
>>>> dev@jitsi.org
>>>> Unsubscribe instructions and other list options:
>>>> http://lists.jitsi.org/mailman/listinfo/dev
>>>> .
>
> --
> https://jitsi.org
>
>
> _______________________________________________
> dev mailing list
> dev@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev
>

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#15

My thinking is that they don't carry extra information. We show
participants as children of the focus. We also show the status of the
focus. That's all we know.

Hmm, true. And the peer info goes through signaling, hence we can't rely on
it...
We'd need to transmit that info over the secured media channel. So I guess
we stick with removing it...

Ingo