To Jitsi admins:

– Add a privacy policy (or a link to it) to your landing page.
– Be aware of Google STUN servers in your configuration (see also
– Change the default text of the landing page since it may incorrectly state that Jitsi is fully encrypted.
– Try to deploy HTTP security headers, like a strict Content Security Policy.
– Keep your server software up-to-date (see also
– Be nice to each other.

@infosechandbook Is there a list of public (or semi public_ Jitsi instances?


We know this list:

The page is user generated content, so some instances are on the site multiple times, others aren't actually public but private instances or not related to Jitsi at all.

@infosechandbook I hope Jitsi's STUN servers can handle the load lol...

on the other hand I'm not sure why so many people get riled up over STUN. It's not like it exposes any data to Google... it's just helping you discover external IPs for punching through NAT. The communication still flows directly peer to peer.


The new default server ( is hosted by Amazon AWS. So the question is if this really improved anything.

Unfortunately, most people only look at domain names and forget about the fact that there are several big server hosting companies on the planet that route lots of traffic.

@infosechandbook overreaction by people who think they understand tech? I'm shocked! :shopkeeper:


Are you 100% sure about the last bit? If both parties are behind NAT and none has UPnP then there's no way they can talk directly.



What's not encrypted?

I've been wondering about this when I saw a blog post saying it's not end-to-end, but there was a GitHub issue that said it depended on your configuration, and that is.


Jitsi Meet incorrectly states that it is "fully encrypted" on several sites. However, group calls are only protected by TLS. TLS is transport encryption, protecting network traffic between your client and the server. In this case, the server decrypts and re-encrypts your traffic.

We already reported this here:

Only 1-to-1 calls seem to be end-to-end encrypted.

You might want to add the deactivation of "Background Blur" to your list.

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community