So I know there has been a lot of talk about this, but I still can’t seem to find a reliable answer.
The official /security page of the website states:
Jitsi meetings can operate in 2 ways: peer-to-peer (P2P) or via the Jitsi Videobridge (JVB). This is transparent to the user. P2P mode is only used for 1-to-1 meetings. In this case, audio and video are encrypted using DTLS-SRTP all the way from the sender to the receiver, even if they traverse network components like TURN servers.
“encrypted all the way from the sender to the receiver” seems a bit confusing, because “all the way” could also mean that it goes through something (I feel like “directly” would have been more appropriate), but I’m guessing this means E2E encryption, right?
But then, on this recent thread (2 months ago), a Jitsi dev reacts to a post reminding people that meet.jit.si (the public version) is not E2E encrypted:
Yes, that is correct. Currently WebRTC does not provide the necessary tools to make E2EE possible while still being able to use smart video routing techniques such as simulcast and SVC
Also, a Jitsi dev on the main GitHub thread states, in 2018, that:
unless a TURN server is deployed the p2p session will not always succeed and when this happens there isn’t an explicit notification to the user
So, this is all very confusing. A friend of mine is considering using Jitsi for her (1-to-1) telehealth sessions and I can’t tell her for sure that it’s safe, because I’m not convinced at all myself.
I’ll sum up my questions below:
Is E2EE occurring on meet.jit.si (the public/maintained version) during one-to-one calls? Is it guaranteed?
Key points being: meet.jit.si (as opposed to custom deployed server), one-to-one calls and guaranteed.
Thanks in advance for any help/clarification.