Security audit?

Hi all,

With the current crisis and ‘lock-down’ in a lot of countries, we see a number of projects that set up jitsi-based voice-conference systems to help support people communicate.

We have a small group of people who that want to help out this movement, especially from a cybersecurity / Ethical Hacking point of view.

Three questions:

  • is there an official install-guide for setting up a jitsi-server?
  • has this setup already been securtiy-audited?
  • Is there any security policy-documents for setting up a jitsi-server?

In short, is there any interest in a pen-test of the default setup of a jitsi-server?

thanks in advance.

Kristoff

Company internal, yes.

Hi Damenco,

Thx for your reply.

That is the installation-guide for the jitsi part itself, but -of course- that is only part of the story. What about the rest of the software on the server?

Is there a document that describes how to install a jitsi-server from the complete beginning (and emoty machine + a linux boot-DVD) to the end?
Are there security-policy documents for what software should be on the serer and what not, firewall rules, remote-management policies, etc.
Are there docker- or cloud-platform images of pre-audited server-installations?
Is there a policy on automatically push updates of the jitsi-software to the servers?

The thing is that, with the corona-crisis, we see citizen-projects to allow people in ‘lock-down’ to communicate with their friends and families, based on jitsi-server instances set up by volonteers.

With all respect to these volonteers, but I think we can safely assume that cybersecurity and privacy is not the prime field of knowledge of these volonteers. This does pose a risk for the safety and privacy of the citizens using these services.

So having a document that clearly describes how somebody can set up a properly protected and audited server-setup would be not a bad thing.

BTW.
Another aspect is ‘authentification’.
We now already have people getting phones by ‘the helpdesk of microsoft to help solve a problem on your computer … if you just install this patch’.
So it is not that unlikely to image that people will now get a phishing mails with a link to a jitsi-room video-conference 'from the helpdesk of their bank to fix an issue with their card".

Are there policy-documents that describe ways a server can be set up that the user can easy determine if a remote-partner is indeed who he/she says he/she is?

Kr.

If you are asking for meet.jit.si this is not opensourced and is proprietary.

Nope.

These are things people deploying jitsi-meet configure by itself and there and there are no recommendations for that from our side.

There are no such documents and recommendations, but you are welcome to create such documents and share them with the community.

1 Like

Hello All,
This is a bit old, where does this stand? Anyone working on it? I might be interested in developing this document and recommendations, with a test bed. If I do, krbonne (Kristoff), are you and your friends still interested in testing it?

@krbonne, I have been working on this issue, and you can see where I am at https://github.com/fgamgee/Jitsi-Meet-Secure-Server. I would welcome you and your friends looking into it and obtaining feedback and issues. Thanks.