Video calls and JitsiWith the recent sudden rush to working from home, and restrictions on people meeting up, there has been a huge growth in the use of video calls. There has however been some question as to who to trust with handling these calls. Many are choosing to trust the open source software Jitsi, but there are things worth consideration before moving to use Jitsi.
14th April 2020Along with lots of folks using well established solutions - Skype, Google Hangouts, Microsoft Teams theres been a massive adoption of the relative newcomer Zoom.
The sudden attention to Zoom has led to lots of investigations and reports of researchers finding various vulnerabilities. Some question the wisdom of using the services of a company who have their massive development team based in China. Others have called out their false claim that the calls are completely private via end to end encryption (e2ee). Getting stable multi party calls with such e2ee is very difficult to achieve. Like most other such services zoom encrypts the audio/video streams between your device and their server computer, then decrypts them, mixes them together with the streams from other people on the call, and sends it all out encrypted to all call participants. Distribution of the encryption keys to call participants happens from a data center in China, operated by the Australian telecoms company Telstra.
Weather all this needs to be an issue to you depends on who you wish your calls to be private from (eg. possibly the UK government having a cabinet meeting on Zoom may not have been a great idea). Also what kind of service you wish to put your trust within and promote by encouraging your contacts to use.
As with other types of software it is often possible to find more trustworthy solutions by looking to open source software. Open source provides the opportunity for code to be more easily reviewed and tested, it also provides better conditions for the growth of a community around the software that includes both users and independent software developers. This can help to keep the software focused on benefitting everyone, rather than focused on profiting the main developer while somewhat abusing users by, for example, selling their data.
The open source video conference software Jitsi is easy to use and lots of people have found it provides reliable conference calls. To start or join a call there is no need for an account, or for special software, you can go to the webpage of a Jitsi server, easily start a call, then share a link with others, so they can join the call.
ClientIt is generally reported that you get best call quality using Jitsi client apps. Jitsi has clients for Windows, Mac, and Linux
laptops and PCs. Mobile apps are
also available. The Jitsi Android client from Play has Google Analytics (as have many other Android apps including Zoom) and Crashlytics trackers, through which Google collects information about how the app is used and any problems encountered for the app developers. The iPhone app has similar tracking. These trackers are stripped out on the Jitsi Android app from FDroid.
You can use Jitsi via a web browser. It is currently recommended that nobody on the call uses Firefox as this can cause the call quality to
degrade significantly for everyone on the call. It also may not currently work so well from the Safari web browser. With phone web browsers, it may be necessary to request the desktop site, using the browser ⁝ menu.
The serverA big benefit of Jitsi is that not only can you connect via their servers, Jitsi has been made to be relatively easy for anyone, with a bit of suitable technical knowledge, to set up on their own servers.
There are lots of companies, groups and individuals who have set up Jitsi servers open for public use. By using a different server, you change who you trust with your call.
The Guardian Project, a project promoting privacy and security on mobile devices, has created
jitsi-monitor to check the speed, security and privacy of different Jitsi services. There is a list on that page of where you can find Jitsi servers.
You can do your own research to check out which individual or organisation runs a server, and decide if you wish to trust them. You can also find out how you could offer them support to thank them for hosting your calls - maybe sending a donation, promoting their services, or spending a bit of time on other tasks for them.
Guardian project recently recorded a
podcast about the jitsi-monitor project
jitsi-monitor creates a
huge list with information about all the jitsi servers of which it is aware. This list may tell you -
* If the server is reporting that it is using analytics to record data about your call.
* The quality of encryption - which TLS versions are supported.
TLSv1.0 & TLSv1.1 are weak and being retired this year by all major web browsers. Ideally use a server with support for TLSv1.2 or better TLSv1.3
* The webserver software used, most use nginx, and the version used. The mainline and stable versions, currently 1.17.10 and 1.16.1 get updates to fixe issues, older
legacy versions will not get comprehensive security updates.
* What stun servers are used - for calls with two participants stun servers are used to figure out where you both are and set up a peer to peer (p2p) connection, where the call travels directly, and is not relayed by the jitsi server. The main meet.jit.si servers, and many other jitsi servers, use Googles stun servers. If you are connected p2p your calls should be end to end encrypted, but there can be problems, and the call instead gets routed via the jitsi server you are using,
without an easy way to tell, so this encryption shouldnt be relied upon.
Guardian Project are looking for developers who can help to make it easier to use the data collected by jitsi-monitor.
High levels of privacyPeople that want their calls to have high levels of privacy, and do not wish to trust server can currently deploy their own server, but may be happy to hear that Jitsi are
trialling fully end to end encrypted multi party calls.Jitsi bombingThere have been reports of conference calls having uninvited participants, sometimes *naked*, enter into rooms. To avoid this its good to
not use a simple name for your jitsi room, you can easily use the long name Jitsi suggests for you. For better privacy still add a password to secure the room. If you are reusing a room a password has to be set up again once you re-enter after each time everyone has left the room.
#
fdroid #
android #
jitsi #
zoom