[jitsi-dev] question about security of meet.jit.si (WebRTC)

Emil Ivov emcho at jitsi.org
Sun Mar 23 15:56:18 CET 2014


Hey MS

On 21.03.14, 08:53, Mr.Smith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Philipp,
> thx a lot for explanation!
>
> with end-to-end encryption I meant primarily implementation of zRTP for
> Audio/Video in JitMeet (and not mpOTR) - would this be possible?

WebRTC does not support ZRTP so unfortunately not. Even with WebRTC, it 
would have been very tricky to reliably exclude the bridge out of the 
conference and make content unavailable to it.

To put things in perspective: your communication is encrypted between 
you and the bridge. The bridge has access to it so you need to trust the 
person that runs it. If you do - good. If you don't, then your best 
option is to run your own bridge.

Cheers,
Emil
>
> thx and br,
> MS
>
> On 3/20/14 7:58 PM, Philipp Hancke wrote:
>> Am 20.03.2014 18:00, schrieb Mr.Smith:
>>> Dear Devs,
>>> Besides Jitsi I started to use also your Jitmeet service - both are
>>> working really great, please continue!!!
>>>
>>> I want to advertise the usage of https://meet.jit.si to several people
>>> involved with NGOs and wanted to approach you concerning security:
>>>
>>> according to the infos on the jitsi homepage the connections are secured
>>> with DTLS/SRTP, so between server and user(s) but not end-to-end (as
>>> with zRTP - if I understood correctly, sorry if I got it wrong...)
>>>
>>
>> correct.
>>
>>> Questions:
>>>
>>> 1) assuming that I trust the operators of the server (videobridge) (=
>>> the jitsi team) - can the communication be intercepted? (man-in-the
>>> middle attack etc?)
>>
>> the bridge is decrypting all traffic. In fact, it's doing a MITM
>> attack against the webrtc clients ;-)
>>
>> run your own bridge ;-)
>>
>>> 2) how is chatting secured to all participants?
>>
>> Not at all. Each participant is connected via TLS, but that is not
>> end-to-end encryption.
>> Not that it matters, in-browser-crypto can not to be trusted.
>>
>>> 3) will an end-to-end encryption be implemented into Jitmeet (similar as
>>> with Jitsi client) ?
>>
>> multi-party OTR is still an unsolved problem :-/
>>
>> Does that help?
>>
>> _______________________________________________
>> dev mailing list
>> dev at jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/dev
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 10.3.1 (Build 13266)
> Charset: ISO-8859-1
>
> wsBVAwUBUyvwAnIFU87htrbeAQiviQf/RBOhGhiBaNwERwZ99vHG6M1A1PZXQh6X
> lSfZfHK6i2SRonUE8IxWhAdx9jZRS3GVExKlfOT/TA6FgREdUQZkcdjJgofQcekh
> QF5MoftyznWajLoywpl8EBvSM/LJvH9F7cqDLo3cGDgDgcY4+jn/6bqPldfZP5YD
> r4S8wDbzndZ5PenS8ciAtEqetOBuVKlHHxZYAnsStpHoCAX4Yr91Wkfoc0YqwinP
> ZbCnfeyfQ6zg0xeSGJHddhVUxR7iKmUwiU3MJqL9nzxM30JbdzTEv3ZLZ6NushEH
> od+Yuc6q2oGBdUh/ESSf3Bs1hD4KiHODBmGjhTCVYTOprZxtXG/xOQ==
> =UzKe
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> dev mailing list
> dev at jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/dev
>

-- 
https://jitsi.org



More information about the dev mailing list