[jitsi-users] SSL Setup of downloads.jitsi.org and jitsi.org


#1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear maintainers of Jitsi,

After the download.jitsi.org certificate expired and got replaced with a
new one, I ran some tests since I wanted to know what the SSL
infrastructure is like of Jitsi and if it needed to be improved to
ensure safe transfers of binaries 'download.jitsi.org' and visits to
'jitsi.org'. I would like to make sure and work together with the jitsi
sysop that we can deploy a safe SSL infrastructure to download material.
This needs to be resolved!

*Download.jitsi.org*
https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

*Jitsi.org*
https://www.ssllabs.com/ssltest/analyze.html?d=jitsi.org

*Solution:*

Disable SSL 2.0. Enable TLS 1.1 + 1.2, only use high/secure ciphers with
PFS and ECDHE ciphers if possible, add HSTS headers.
https://github.com/mikedamm/duraconf/blob/124cf53237d31a20a584944f46cc8ff97d2bb664/configs/apache2/https-hsts.conf

What would be a nice plus if certificate pinning could be added to
Chrome --> https://codereview.chromium.org/ this make's
eavesdropping/inserting a backdoored version of Jitsi a lot if harder.

I'm not subscribed to the list, i'm more then happy to help out, if you
email to the list, make sure to CC me.

All the best,

Jurre

- --
Give a man a fish and you feed him for a day; teach a man to fish and
you feed him for life.

http://jurrevanbergen.nl/


#2

Hey Jurre,

Thanks for the note.

Jacob Appelbaum raised that same issue a few months ago but the server
didn't support it back then and we didn't get around to changing it
since the migration.

So, jitsi.org should be ok now:

https://www.ssllabs.com/ssltest/analyze.html?d=jitsi.org

We are currently investigating the options that we have for
download.jitsi.org. This may take a few weeks but we'll sort it out
eventually.

Cheers,
Emil

···

On 22.05.13, 16:17, Jurre van Bergen wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear maintainers of Jitsi,

After the download.jitsi.org certificate expired and got replaced with a
new one, I ran some tests since I wanted to know what the SSL
infrastructure is like of Jitsi and if it needed to be improved to
ensure safe transfers of binaries 'download.jitsi.org' and visits to
'jitsi.org'. I would like to make sure and work together with the jitsi
sysop that we can deploy a safe SSL infrastructure to download material.
This needs to be resolved!

*Download.jitsi.org*
https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

*Jitsi.org*
https://www.ssllabs.com/ssltest/analyze.html?d=jitsi.org

*Solution:*

Disable SSL 2.0. Enable TLS 1.1 + 1.2, only use high/secure ciphers with
PFS and ECDHE ciphers if possible, add HSTS headers.
https://github.com/mikedamm/duraconf/blob/124cf53237d31a20a584944f46cc8ff97d2bb664/configs/apache2/https-hsts.conf

What would be a nice plus if certificate pinning could be added to
Chrome --> https://codereview.chromium.org/ this make's
eavesdropping/inserting a backdoored version of Jitsi a lot if harder.

I'm not subscribed to the list, i'm more then happy to help out, if you
email to the list, make sure to CC me.

All the best,

Jurre

- --
Give a man a fish and you feed him for a day; teach a man to fish and
you feed him for life.

http://jurrevanbergen.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRnMVLAAoJELc5KWfqgB0CBEMIAIK7dEpZ/ze23+0parN0Amqt
pVn7vjebre6JgWMRBQpLVCER9ULmuJFHTzfGPF/ZgD7A5CELYbUus+Pjc6YljoAT
IPvHADfWndtjNYBqADBjnyjxepWwgMMsUm5MhUjTnLJzWApzw5rSwhpIYGLXA8fI
Lh9VaIb+JtlTkBjXlF5YOz2Y+Ga296q/ZczyY417sUtp+ZgSmW8pE2nJZ+mf/qxp
35ca39sC16ckeRvoJw4tonrbNrtZmxHbcEZkctsSwf5+Zkug/kMvq5u06lTKG3Jh
shdC5NTtSM5j01Il6+78M+zTGVrRe9AJWoYmOtI56oAu/vRe3xoPPyP0qpk8qMo=
=pbdt
-----END PGP SIGNATURE-----

/ssssssssssss

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Emil,

Thanks for getting back to me, jitsi.org looks fine so far indeed. I
strongly urge you to make extra time to update download.jitsi.org, it's
extremely important that this software can be downloaded on an actual
secure session instead of an insecure one when someone is listening on
the wire, unfortunately, that's these things happen more often in this
world, depressive isn't it?

I see that some modifications were made to download.jitsi.org, it's not
perfect and still contains some issues, what's holding you back from
applying the other options? Is the server out of date? Perhaps it would
be a suggestion to install a recent Debian Wheezy to host as a download
platform?

Another thing that would be nice, but is not related to the SSL
deployment, is providing sha256sums of the packages. In addition to
that, I hope that the Jitsi project will consider signing their packages
so users could check whether that's an actual valid package provided by
the Jitsi developers.

Thanks so far, I appreciate you put some time in it already.

All the best,

Jurre

Hey Jurre,

Thanks for the note.

Jacob Appelbaum raised that same issue a few months ago but the server
didn't support it back then and we didn't get around to changing it
since the migration.

So, jitsi.org should be ok now:

https://www.ssllabs.com/ssltest/analyze.html?d=jitsi.org

We are currently investigating the options that we have for
download.jitsi.org. This may take a few weeks but we'll sort it out
eventually.

Cheers,
Emil

Dear maintainers of Jitsi,

After the download.jitsi.org certificate expired and got replaced with a
new one, I ran some tests since I wanted to know what the SSL
infrastructure is like of Jitsi and if it needed to be improved to
ensure safe transfers of binaries 'download.jitsi.org' and visits to
'jitsi.org'. I would like to make sure and work together with the jitsi
sysop that we can deploy a safe SSL infrastructure to download material.
This needs to be resolved!

*Download.jitsi.org*
https://www.ssllabs.com/ssltest/analyze.html?d=download.jitsi.org

*Jitsi.org*
https://www.ssllabs.com/ssltest/analyze.html?d=jitsi.org

*Solution:*

Disable SSL 2.0. Enable TLS 1.1 + 1.2, only use high/secure ciphers with
PFS and ECDHEChain issues ciphers if possible, add HSTS headers.

https://github.com/mikedamm/duraconf/blob/124cf53237d31a20a584944f46cc8ff97d2bb664/configs/apache2/https-hsts.conf

What would be a nice plus if certificate pinning could be added to
Chrome --> https://codereview.chromium.org/ this make's
eavesdropping/inserting a backdoored version of Jitsi a lot if harder.

I'm not subscribed to the list, i'm more then happy to help out, if you
email to the list, make sure to CC me.

All the best,

Jurre

/ssssssssssss

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

- --
Give a man a fish and you feed him for a day; teach a man to fish and
you feed him for life.

http://jurrevanbergen.nl/

···

On 05/23/2013 11:30 AM, Emil Ivov wrote:

On 22.05.13, 16:17, Jurre van Bergen wrote: