Follow

To Jitsi admins:

– Add a privacy policy (or a link to it) to your landing page.
– Be aware of Google STUN servers in your configuration (see also github.com/jitsi/jitsi-meet/pu).
– Change the default text of the landing page since it may incorrectly state that Jitsi is fully encrypted.
– Try to deploy HTTP security headers, like a strict Content Security Policy.
– Keep your server software up-to-date (see also infosec-handbook.eu/as-wss/).
– Be nice to each other.

@infosechandbook Is there a list of public (or semi public_ Jitsi instances?

@emacsen

We know this list: github.com/jitsi/jitsi-meet/wi

The page is user generated content, so some instances are on the site multiple times, others aren't actually public but private instances or not related to Jitsi at all.

@infosechandbook I hope Jitsi's STUN servers can handle the load lol...

on the other hand I'm not sure why so many people get riled up over STUN. It's not like it exposes any data to Google... it's just helping you discover external IPs for punching through NAT. The communication still flows directly peer to peer.

@feld

The new default server (meet-jit-si-turnrelay.jitsi.net) is hosted by Amazon AWS. So the question is if this really improved anything.

Unfortunately, most people only look at domain names and forget about the fact that there are several big server hosting companies on the planet that route lots of traffic.

@infosechandbook overreaction by people who think they understand tech? I'm shocked! :shopkeeper:

@feld

Are you 100% sure about the last bit? If both parties are behind NAT and none has UPnP then there's no way they can talk directly.

@infosechandbook

@infosechandbook

What's not encrypted?

I've been wondering about this when I saw a blog post saying it's not end-to-end, but there was a GitHub issue that said it depended on your configuration, and that meet.jit.si is.

@danjones

Jitsi Meet incorrectly states that it is "fully encrypted" on several sites. However, group calls are only protected by TLS. TLS is transport encryption, protecting network traffic between your client and the server. In this case, the server decrypts and re-encrypts your traffic.

We already reported this here: github.com/jitsi/jitsi-meet/is

Only 1-to-1 calls seem to be end-to-end encrypted.

@infosechandbook
You might want to add the deactivation of "Background Blur" to your list.

Sign in to participate in the conversation
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community