[jitsi-users] Security issue


#1

Hello to everyone,

I put up a site on a Debian 9.1 system with fail2ban 0.9.6-2 with these packages installed:

ii jitsi-meet 1.0.2098-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.1967-1 all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.1967-1 all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.1967-1 all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 953-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)

A collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?"

I replied: "no more than any other website, I think"

Is this correct? Or do you have experience of some kind of abuse?

Thanks,
   Matteo


#2

If your domain is visible to the web, then yes, anyone could use it

You can set User/Password to create a room, and once created, others can join the room

Look for the 'Secure domain' section. https://github.com/jitsi/jicofo

···

On 23 Aug 2017, at 07:54, Matteo Calorio <matteo.calorio@linux.ors-tech.it> wrote:

Hello to everyone,

I put up a site on a Debian 9.1 system with fail2ban 0.9.6-2 with these packages installed:

ii jitsi-meet 1.0.2098-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.1967-1 all Prosody configuration for Jitsi Meet
ii jitsi-meet-web 1.0.1967-1 all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.1967-1 all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge 953-1 amd64 WebRTC compatible Selective Forwarding Unit (SFU)
A collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?"

I replied: "no more than any other website, I think"

Is this correct? Or do you have experience of some kind of abuse?
Thanks,
  Matteo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Presumably, it depends on what is meant by “abuse”.

If you are offering video conferencing services to anyone who can connect to your server, they can use it for any communication — you are not in control of what they say / do on video.

If that is your intention, it probably is not abuse. If you would rather they did not do that, locking your server down so it either available only on your local network, or else that your firewall only lets in traffic from trusted end points, might be a plan, or you could go down the “Secure Domain” approach of requiring a prosody user’s password before a conference room can be opened.

See the bottom of https://github.com/jitsi/jicofo

Neil

···

On 23 Aug 2017, at 07:53, Matteo Calorio <matteo.calorio@linux.ors-tech.it> wrote:

A collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?”


#4

Thanks to you and Tom for the reply!

I followed the instructions, but then how do I define users allowed to start a conference?

And how do they authenticate from the web page? I see a "Login" button, now, under "Profile" section, but it seems id does nothing...

Good day,
   Matteo

···

Il 23/08/2017 09:03, jitsi@neilzone.co.uk ha scritto:

On 23 Aug 2017, at 07:53, Matteo Calorio >> <matteo.calorio@linux.ors-tech.it >> <mailto:matteo.calorio@linux.ors-tech.it>> wrote:

A collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?”

Presumably, it depends on what is meant by “abuse”.

If you are offering video conferencing services to anyone who can connect to your server, they can use it for any communication — you are not in control of what they say / do on video.

If that is your intention, it probably is not abuse. If you would rather they did not do that, locking your server down so it either available only on your local network, or else that your firewall only lets in traffic from trusted end points, might be a plan, or you could go down the “Secure Domain” approach of requiring a prosody user’s password before a conference room can be opened.

See the bottom of https://github.com/jitsi/jicofo

Neil


#5

Ive only used it briefly but had to define and create accounts on Prosody (I'm sure there's instructions somewhere on the Gihub pages)

It has to be done via command line I believe

···

On 23 Aug 2017, at 08:46, Matteo Calorio <matteo.calorio@linux.ors-tech.it> wrote:

Thanks to you and Tom for the reply!

I followed the instructions, but then how do I define users allowed to start a conference?

And how do they authenticate from the web page? I see a "Login" button, now, under "Profile" section, but it seems id does nothing...

Good day,
  Matteo

Il 23/08/2017 09:03, jitsi@neilzone.co.uk ha scritto:

On 23 Aug 2017, at 07:53, Matteo Calorio <matteo.calorio@linux.ors-tech.it> wrote:

A collegue of mine asked me: "can anyone use this service… if anyone can start a conference, is it not open to abuse?”

Presumably, it depends on what is meant by “abuse”.

If you are offering video conferencing services to anyone who can connect to your server, they can use it for any communication — you are not in control of what they say / do on video.

If that is your intention, it probably is not abuse. If you would rather they did not do that, locking your server down so it either available only on your local network, or else that your firewall only lets in traffic from trusted end points, might be a plan, or you could go down the “Secure Domain” approach of requiring a prosody user’s password before a conference room can be opened.

See the bottom of https://github.com/jitsi/jicofo

Neil

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#6

prosodyctl adduser username@subdomain.domain.tld <mailto:username@subdomain.domain.tld>

Neil

···

On 23 Aug 2017, at 08:53, Tom Richardson <tom.richardson@mailbox.org> wrote:

how do I define users allowed to start a conference?

had to define and create accounts on Prosody


#7

Works perfectly, thanks! Matteo

···

Il 23/08/2017 15:47, jitsi@neilzone.co.uk ha scritto:

On 23 Aug 2017, at 08:53, Tom Richardson <tom.richardson@mailbox.org >> <mailto:tom.richardson@mailbox.org>> wrote:

how do I define users allowed to start a conference?

had to define and create accounts on Prosody

prosodyctl adduser username@subdomain.domain.tld <mailto:username@subdomain.domain.tld>

Neil

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#8

You can always turn on authentication for room creation, if you do not want anyone to use your server for video calling.

Best wishes

Neil