[Cryptography] Jitsi versus Zoom

John-Mark Gurney jmg at funkthat.com
Thu Apr 9 00:44:34 EDT 2020


Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:
> On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:
> [...]
> > So, the best thing about Jitsi is that you can self host to ensure
> > the security of the server.
> [...]
> 
> Well, and it uses standards-based protocols, and you get all the
> source code, and you have the right to modify and redistribute it,
> and the ability to run it without having to pay licensing fees to
> the authors, and... basically all the benefits of relying on
> free/libre open source software instead of some proprietary platform
> which you'll at best be able to audit under a nasty NDA and won't be
> able to legally modify at all if you need (and I say this as someone
> who's in the process of helping stand up a slightly modified version
> of Jitsi Meet for an open community who's wary of Zoom and similar
> closed offerings, the patch we're applying is for integration with
> another open collaboration tool we use and we're planning to work
> with the Jitsi maintainers to get that incorporated upstream... try
> doing that with Zoom?).

You mean all the auditing that doesn't happen w/ open source software?

See the recent package distribution bugs in OpenWrt[1], or on Debian's
apt that failed to handle redirects properly[2]...

Or the [in]ability of OSS authors to distribute software securely?

Hell, in trying to get OpenWrt installed on a router, I find that if
you follow OpenWrt docs to the letter, your initial install can still
be MitM'd, even after the recent CVE, and so an attacker could put their
own package key and repo in:
https://twitter.com/encthenet/status/1248036307147710465?s=20

Or that dnsmasq is distributed in an unauthenticated manner.  Yes,
the author signs his repo, but there isn't a link to his PGP key
anywhere, and so, if I just fetch "his" key that is from the repo
off a random key server, that isn't secure, because an attacker could
upload their own key that they signed the repo w/ that contains his
email address and look totally legit.

You mean that OSS?

We aren't even talking about complicated parts of software, the
simple distribution can't even be handled in a secure manner, and
people expect them to get more complicated parts correct?

I don't have the time or money to pay for even a half assed audit of
Jitsi.

There's something to be said to have a company that has people who
are paid to distribute and keep software secure.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-7982
[2] https://www.debian.org/security/2019/dsa-4371

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200408/6a821733/attachment.sig>


More information about the cryptography mailing list