[jitsi-users] Security issue


#1

Hello to everyone,

I put up a site on a Debian 9.1 system with fail2ban 0.9.6-2 with these packages installed:

ii jitsi-meet 1.0.2098-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.1967-1 all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.1967-1 all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.1967-1 all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 953-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)

A collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?"

I replied: "no more than any other website, I think"

Is this correct? Or do you have experience of some kind of abuse?

Thanks,
   Matteo


#2

We operate an open instance at meet.jit.si and I’m not aware of any specific abuse situation, though others may have more info on that.

If you are running your own deployment, you may want to turn on authentication (https://github.com/jitsi/jicofo#secure-domain) so only users you have created an account for can login.

Cheers,

···

On Aug 20, 2017, at 10:27, Matteo Calorio <matteo.calorio@linux.ors-tech.it> wrote:

Hello to everyone,

I put up a site on a Debian 9.1 system with fail2ban 0.9.6-2 with these packages installed:

ii jitsi-meet 1.0.2098-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.1967-1 all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.1967-1 all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.1967-1 all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 953-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)
A collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?"

I replied: "no more than any other website, I think"

Is this correct? Or do you have experience of some kind of abuse?

--
Saúl