[jitsi-users] Security


#1

I have some general questions regarding security.

1) I'm using the free SIP Service provided by iptel.org. How reliable do you believe them to be? Are they trustworthy and secure?

2) In the audio/video chat window in Jitsi, I see a "Connected" label with a lock icon to the left of it. When I hover over this lock icon, some additional information pops up saying that the audio and video are encrypted. Does Jitsi indeed mean what it says? Are both the audio and video guaranteed to be encrypted?
For example, could the people who maintain iptel.org possibly look at the audio/video? (To be compared with Skype, where Skype itself could possibly be able to do some snooping/tapping - nobody knows for sure.)

3) Above the "Connected" label (the one mentioned in question 2 above), I see another label which shows "Compare with partner: **some code**". When I click the lock to the left of this text, a checkmark appears. What exactly does this mean and what is its purpose?

4) Text chats is where things get weird. When I'm text chatting with someone, and I click the lock-icon, all that happens is that I end up "typing" in **some code** to the chat window. What just happened? When my buddy does the same, the same code appears from him. (Also, the other person hears some weird sound too.) What's going on? Is the text chat encrypted or not? There is at least no "UI-level evidence" shown that the chat is encrypted.
For text chats, I also have to same question regarding whether iptel.org could possibly read people's chat messages.

Thanks in advance!


#2

Hey there,

На 11.11.11 12:23, Disqus User написа:

I have some general questions regarding security.

1) I'm using the free SIP Service provided by iptel.org. How reliable
do you believe them to be? Are they trustworthy and secure?

Personally I am happy with it. We support custom accounts for only them
and ippi.com and we are happy with both. Of course trustworthiness is
mostly a matter of personal opinion, but that doesn't really matter in
the case of Jitsi.

2) In the audio/video chat window in Jitsi, I see a "Connected" label
with a lock icon to the left of it. When I hover over this lock icon,
some additional information pops up saying that the audio and video
are encrypted. Does Jitsi indeed mean what it says?

Yes.

Are both the
audio and video guaranteed to be encrypted?

When the label says so - yes.

For example, could the
people who maintain iptel.org possibly look at the audio/video?

No. In such calls Jitsi uses ZRTP which is an end-to-end encryption
method so, as long as your SAS comparison (see below) comes clear you
are good to go.

(To
be compared with Skype, where Skype itself could possibly be able to
do some snooping/tapping - nobody knows for sure.)

3) Above the "Connected" label (the one mentioned in question 2
above), I see another label which shows "Compare with partner: **some
code**". When I click the lock to the left of this text, a checkmark
appears. What exactly does this mean and what is its purpose?

The first time you call someone you need to make sure they see the same
four letters as you do. If that's the case, you can be sure there's no
one standing between you and your contact (Man In The Middle). In that
case, and in that case only, you could click on the padlock so that you
won't need to do the comparison in the future. Check the following for
more info:

http://jitsi.org/faq/zrtp

4) Text chats is where things get weird. When I'm text chatting with
someone, and I click the lock-icon, all that happens is that I end up
"typing" in **some code** to the chat window. What just happened?
When my buddy does the same, the same code appears from him. (Also,
the other person hears some weird sound too.) What's going on? Is the
text chat encrypted or not? There is at least no "UI-level evidence"
shown that the chat is encrypted. For text chats, I also have to same
question regarding whether iptel.org could possibly read people's
chat messages.

There are two levels of chat encryption. First one concerns
communication between you and your server. In the case of Jitsi this is
almost always the case for XMPP, sometimes for SIP and never for MSN,
Yahoo! and ICQ/AIM.

The second level involves the use of an end-to-end encryption method
called OTR. You start using OTR when you click on the padlock in the
chat window. If it locks then you are encrypted. You also need to make
sure that the fingerprint you are seeing for your partner is indeed
their own (kind of the same as with ZRTP SAS comparison). If this
doesn't work as expected for you, then we'd need to know how to
reproduce your problem. Logs[0] would also be most helpful!

Hope this helps,
Emil

[0] http://jitsi.org/faq/logs


#3

Thanks for the quick reply!

About the text chat, my problem is this:

Whenever I press the (unlocked) lock icon, the lock doesn't turned into a locked lock. It stays unlocked. All I get instead is that (when I press the lock icon), the following text gets typed into the chat window on my behalf: ?OTRv2?

Does this sound familiar? What could this mean? When my buddy tries clicking the lock, he also just prints out ?OTRv2? into the chat window, but the lock stays unlocked. We are both running Jitsi on Mac OS X.

···

----------------------------------------

Date: Fri, 11 Nov 2011 14:43:57 +0100
From: emcho@jitsi.org
To: users@jitsi.java.net
CC: disqususer@live.com
Subject: Re: [jitsi-users] Security

Hey there,

На 11.11.11 12:23, Disqus User написа:
>
> I have some general questions regarding security.
>
> 1) I'm using the free SIP Service provided by iptel.org. How reliable
> do you believe them to be? Are they trustworthy and secure?

Personally I am happy with it. We support custom accounts for only them
and ippi.com and we are happy with both. Of course trustworthiness is
mostly a matter of personal opinion, but that doesn't really matter in
the case of Jitsi.

> 2) In the audio/video chat window in Jitsi, I see a "Connected" label
> with a lock icon to the left of it. When I hover over this lock icon,
> some additional information pops up saying that the audio and video
> are encrypted. Does Jitsi indeed mean what it says?

Yes.

> Are both the
> audio and video guaranteed to be encrypted?

When the label says so - yes.

> For example, could the
> people who maintain iptel.org possibly look at the audio/video?

No. In such calls Jitsi uses ZRTP which is an end-to-end encryption
method so, as long as your SAS comparison (see below) comes clear you
are good to go.

> (To
> be compared with Skype, where Skype itself could possibly be able to
> do some snooping/tapping - nobody knows for sure.)
>
> 3) Above the "Connected" label (the one mentioned in question 2
> above), I see another label which shows "Compare with partner: **some
> code**". When I click the lock to the left of this text, a checkmark
> appears. What exactly does this mean and what is its purpose?

The first time you call someone you need to make sure they see the same
four letters as you do. If that's the case, you can be sure there's no
one standing between you and your contact (Man In The Middle). In that
case, and in that case only, you could click on the padlock so that you
won't need to do the comparison in the future. Check the following for
more info:

http://jitsi.org/faq/zrtp

> 4) Text chats is where things get weird. When I'm text chatting with
> someone, and I click the lock-icon, all that happens is that I end up
> "typing" in **some code** to the chat window. What just happened?
> When my buddy does the same, the same code appears from him. (Also,
> the other person hears some weird sound too.) What's going on? Is the
> text chat encrypted or not? There is at least no "UI-level evidence"
> shown that the chat is encrypted. For text chats, I also have to same
> question regarding whether iptel.org could possibly read people's
> chat messages.

There are two levels of chat encryption. First one concerns
communication between you and your server. In the case of Jitsi this is
almost always the case for XMPP, sometimes for SIP and never for MSN,
Yahoo! and ICQ/AIM.

The second level involves the use of an end-to-end encryption method
called OTR. You start using OTR when you click on the padlock in the
chat window. If it locks then you are encrypted. You also need to make
sure that the fingerprint you are seeing for your partner is indeed
their own (kind of the same as with ZRTP SAS comparison). If this
doesn't work as expected for you, then we'd need to know how to
reproduce your problem. Logs[0] would also be most helpful!

Hope this helps,
Emil

[0] http://jitsi.org/faq/logs