Follow

Regarding Jitsi Meet servers:
There is a recent trend to use Jitsi Meet, a JavaScript WebRTC application, for videoconferencing.

Please note that these video conferences aren't end-to-end encrypted. This means server-side parties can monitor your activity. If you want to use Jitsi hosted by others, look for a comprehensive privacy policy as always.

There could be additional legal requirements if you want to use third-party Jitsi servers for school or work.

@infosechandbook This doesn't apply to just Jitsi Meet. It's true of almost every other videoconferencing system. Are there any (multiparty) videoconferencing systems that are end-to-end encrypted?

@infosechandbook are you sure? They claim that calls are encrypted by default.

@infosechandbook @luka Out of curiosity, is there any video conference provider that DOES offer end-to-end encryption?

@kekcoin

For instance, Signal offers E2EE for 1-to-1 calls. Wire seems to offer E2EE for video conferences.

Just a side note: We explictly do not promote any products or services, and the original post isn't only about E2EE but also about missing privacy policies and other legal requirements.

@luka

@blacklight447 @infosechandbook @kekcoin @luka
It should be, at least for 1-1 calls, not sure about group calls. I would go for Wire, at least until EARN IT act passes. After that, self-hosted Jitsi or Nextcloud Talk

@engineering @blacklight447 @infosechandbook @kekcoin thanks for all these considerations. So if I self-host a Jitsi server with strict pp seems like a way to go. Are there examples one could look into how to craft an ethical PP?

@infosechandbook Nasty, pessimistic stance for a moment: People don't really care, same as people don't really care about some of the insecurities of XMPP or Matrix, because at the end, the idea of self-hosting seems much more tempting than considering privacy and security as something much more complex than that. 😐

@z428 @infosechandbook

It's also that widely seen alternatives like Discord, Microsoft Teams, phone calls or SIP don't offer end ot end encryption either and they contains obviously a record button on server side.

#SIP is not even encrypted on transport...

@z428 @infosechandbook
So people trust the people behind the jitsi servers more than other companies. It's a blind trust but they don't see why those people would listen to their conversations.

@infosechandbook A default Jitsi quickinstall setup also uses the Google STUN servers for WebRTC with only two participants (at least that's how I understand the documentation).

/etc/jitsi/meet/jitsi.example.com-config.js:

// The STUN servers that will be used in the peer to peer connections
stunServers: [
{ urls: 'stun:stun.l.google.com:19302' },
{ urls: 'stun:stun1.l.google.com:19302' },
{ urls: 'stun:stun2.l.google.com:19302' }
],

@galaxis

Holy shit! That's true. I just tried on my server and those lines are there.
After commenting those line and rebooting, #Jitsi still seems to work, but this is terrible.

See also:
mastodon.social/@FuckOffGoogle

c/c
@z428
@infosechandbook

#FuckOffGoogle

@infosechandbook
The emphasis should be on third-party servers possibly not encrypting. Jitsi encrypts end-to-end by default, as the team states on their site.

@SvenFatale

E2EE is limited to 1-to-1 calls as stated here: github.com/jitsi/jitsi-meet#se (and multiple times in the comments).

Moreover, incomplete or completely missing privacy policies are a problem. One shouldn't trust a "John Doe" admin when it comes to security.

@infosechandbook
Thank you. It also stated that for multiparty it's unencrypted on the host server and client machines, which means if you control the host server, you do not need to worry about third party interception, or am I misunderstanding their statement?

Privacy policies are always important, definitely. You could open a ticket to have them create a better one or even offer to help craft one. It is open source, after all. They might appreciate your help.

@SvenFatale

If you physically and logically control your server, then you don't need to worry about it. This is true for any protocol that doesn't support E2EE.

The problem isn't the software Jitsi itself, but server admins who don't publish privacy policies, or sometimes actively hide their real identities.

@xorman

You are referring to another software project and TURN servers.

Jitsi officially states that "WebRTC does not (yet) provide a way of conducting multi-party conversations with end-to-end encryption." For 1-to-1 calls, read the first paragraph of github.com/jitsi/jitsi-meet#se

privacytools.io also states: "Jitsi Meet streams are decrypted on the server." (privacytools.io/software/real-)

Sign in to participate in the conversation
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community