To Jitsi admins:
– Be aware of Google STUN servers in your configuration (see also https://github.com/jitsi/jitsi-meet/pull/5433).
– Change the default text of the landing page since it may incorrectly state that Jitsi is fully encrypted.
– Try to deploy HTTP security headers, like a strict Content Security Policy.
– Keep your server software up-to-date (see also https://infosec-handbook.eu/as-wss/).
– Be nice to each other.
@infosechandbook Is there a list of public (or semi public_ Jitsi instances?
We know this list: https://github.com/jitsi/jitsi-meet/wiki/Jitsi-Meet-Instances
The page is user generated content, so some instances are on the site multiple times, others aren't actually public but private instances or not related to Jitsi at all.
The new default server (meet-jit-si-turnrelay.jitsi.net) is hosted by Amazon AWS. So the question is if this really improved anything.
Unfortunately, most people only look at domain names and forget about the fact that there are several big server hosting companies on the planet that route lots of traffic.
What's not encrypted?
I've been wondering about this when I saw a blog post saying it's not end-to-end, but there was a GitHub issue that said it depended on your configuration, and that meet.jit.si is.
Jitsi Meet incorrectly states that it is "fully encrypted" on several sites. However, group calls are only protected by TLS. TLS is transport encryption, protecting network traffic between your client and the server. In this case, the server decrypts and re-encrypts your traffic.
We already reported this here: https://github.com/jitsi/jitsi-meet/issues/5659
Only 1-to-1 calls seem to be end-to-end encrypted.
You might want to add the deactivation of "Background Blur" to your list.
chaos.social – a Fediverse instance for & by the Chaos community