Jitsi encrypted1/27/2024 Note: Since Jitsi is built on top of WebRTC, a deeper look into its security architecture is very important when evaluating Jitsi’s security aspects. Packets are decrypted while traversing Jitsi Videobridge however they are never stored to any persistent storage and only live in memory while being routed to other participants in the meeting. They are honest in that: ,In the case of multiparty meetings all audio and video traffic is still encrypted on the network (again, using DTLS-SRTP). Īll good, but is it end to end-encrypted? Plain and simple: no. Kudos to the fact that Jitsi provides a link to some very good documentation on DTLS-SRTP: the Framework for Establishing a Secure Real-time Transport Protocol (SRTP) and Security Context Using Datagram Transport Layer Security (DTLS) by the Internet Engineering Task Force (IETF). According to the information on that page, Jitsi states that ,audio and video are encrypted using DTLS-SRTP all the way from the sender to the receiver, even if they traverse network components like TURN servers”. There’s also an extensive paper on the security of Jitsi, published by Jitsi itself ( ). It is open source, so all the ‘forks’ and commitments back to the master code are retrievable. The (Java) code base is published on GitHub. First of all: is it secure? Same procedure: since Jitsi is open source, it’s extremely easy to dig up all the relevant documents. Now, let’s look at Jitsi Meet, presented as the number one alternative for Zoom. David Searls might be absolutely right in noting that Zoom did violate privacy ruling by selling personal data. All in all that’s pretty secure.īut: it doesn’t say anything about privacy. The Zoom Voice over IP solution (Zoom Phone) is encrypted over AES 128, using Secure Real-time Transport Protocol (SRTP). Zoom is using end to end encryption: ,Zoom can encrypt all presentation content at the application layer using the Advanced Encryption Standard (AES) 256-bit algorithm.” All screen sharing content and network connections are using the AES 256 encryption standard with TLS 1.2. One of the first things to check is the level of encryption. No rocket science: Zoom published an extensive Security Guide online ( ). That was my first goal: checking the security ‘under the hood’. Now, does that make Zoom ‘insecure’? They might be violating privacy statements (which is bad, they simply have to adhere to GDPR, for instance), but that’s something different than not being secure. , From what I can tell, so far, on March 30 (four days after I wrote this post), Zoom has cleaned up its privacy act.” What they’re also saying here is that Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data.” Searls mentions Google Ads and Google Analytics in his blog.įor the sake of completeness: Searls did update his article a few days after the original post. Searls:, What they mean by that is adtech. He started writing about the privacy statement of Zoom. Where did all the negativity around Zoom then sprout from? From a blogpost by author and well respected journalist David “Doc” Searls ( ). But at the end of the day this is nothing new under the security sun. Depending on the algorithm to generate these ID’s (at random), it might be fairly easy or more complex to get hold of a certain ID. All conference tools use this kind of ID’s. Fair enough.īut let’s be honest here: this is not an exclusive Zoom-issue. With brute force Zoom-conferences could be hacked within a matter of moments. The issue is that these ID’s are easy to ‘guess’. If anyone gets hold of the call ID, you could hack into the conference. The article mainly dives into the problem with the Zoom conference ID and the phenomenon called Zoombombing. Zoom now risks becoming a victim of its own success.” ( ). Quoting The Verge: ,Zoom is now facing a huge privacy and security backlash as security experts, privacy advocates, lawmakers, and even the FBI warn that Zoom’s default settings aren’t secure enough. From what I read this open source tool was the holy grail in online conferencing. Next, a ton of alternatives got suggested, but one stood out from the rest: Jitsi Meet. This week Zoom got burned to the ground by a number of security specialists and that triggered me to dive into it and check for myself how secure - or insecure - Zoom really is. ![]() So, if a certain tool doesn’t prove to be secure, it should not be used and people will have to turn to alternatives. And with thousands of people working from home these days, the usage of tools such as Zoom really rocketed over the last weeks. It was a big thing: the online conferencing tool Zoom was not secure.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |