<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"> <head> <meta name="viewport" content="width=device-width,initial-scale=1"> <!--[if gte mso 9]>
<xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
<o:PixelsPerInch>96</o:PixelsPerInch>
</o:OfficeDocumentSettings>
</xml>
<![endif]--> <style type="text/css">* a:hover{cursor:pointer;}</style> <style>body {-webkit-animation:bugfix infinite 1s;}@-webkit-keyframes bugfix {from {position:relative;}to {position:relative;}}</style> </head> <body style="word-wrap:normal;word-break:break-word"> <style>a {word-wrap:normal;word-break:break-word;}.background-contain {background-size:contain;}@media only screen and (max-width:600px) {.container {-webkit-text-size-adjust:none !important;}.container,.palm-one-whole {width:100% !important;min-width:100% !important;}.palm-one-half {width:50% !important;min-width:50% !important;box-sizing:border-box;}blockquote .container,blockquote .container div,blockquote .container table {width:auto !important;min-width:0 !important;position:relative !important;}img {max-width:100%;}.border-outer,.border-middle,.border-inner,.inner,[title="separator"] {width:100% !important;}.innercell {padding:8px !important;}.palm-block {display:block !important;}td.palm-one-whole {display:inline-block !important;padding:0;}td.palm-one-whole:first-child:not(:only-child) {margin-bottom:16px;}td.hostname {padding-top:3px !important;}}@media only screen and (min-width:601px) {.preview-card {max-width:600px !important;}}@media only screen and (min-device-width :320px) and (max-device-width :568px),only screen and (min-device-width :768px) and (max-device-width :1024px),only screen and (max-device-width:640px),only screen and (max-device-width:667px),only screen and (max-width:480px){.container {width:100% !important;min-width:100% !important;}.p,.small,li,font[size="2"],font[size="3"] {font-size:1em !important;}}@media only screen and (min-device-width :320px) and (max-device-width :568px),only screen and (min-device-width :768px) and (max-device-width :1024px),only screen and (min-device-width :1224px) {.message-wrapper {padding-top:6px;}.apple-only[style] {display:block !important;max-height:none !important;line-height:normal !important;overflow:visible !important;height:auto !important;width:100% !important;position:relative !important;}.no-apple {display:none !important;}form {font-size:inherit;}input[type="text"] {height:43px;padding-left:4px !important;}button:hover {cursor:pointer;}}@media only screen and (min-device-width :1224px) {.apple-mail-form {display:block !important;background-color:white !important;}}* [office365] .outlook-com-hidden {display:none !important;}* [office365] .outlook-com-button {display:block;}* [office365] .outlook-com-only {display:block !important;max-height:none !important;line-height:normal !important;overflow:visible !important;height:auto !important;width:100% !important;position:relative !important;}.ExternalClass {width:100%;}.ExternalClass .outlook-com-button {display:block;}.ExternalClass button {height:auto;}.ExternalClass .outlook-com-hidden {display:none !important;}.ExternalClass .outlook-com-only {display:block !important;max-height:none !important;line-height:normal !important;overflow:visible !important;height:auto !important;width:100% !important;position:relative !important;}.ExternalClass .ecxlabels {display:none !important;}.ExternalClass .ecxlabels {display:none !important;}.ExternalClass .ecxarrow {display:none !important;}.ExternalClass cite >div + div {padding:0 0 4px 0;}.ExternalClass .h1 {padding-bottom:5px;}.ExternalClass .h2 {padding-bottom:5px;}.ExternalClass .h3 {padding-bottom:5px;}.ExternalClass [lang="brand-pinterest"] {width:280px !important;}</style> <!--[if (gte mso 9)|(IE)]>
<style>
a, body {
font-family: 'Calibri', Arial, sans-serif;
}
img {
border: none !important;
-ms-interpolation-mode:bicubic;
}
td {
mso-line-height-rule:exactly !important;
}
.mso-card-inner table {
border-collapse: collapse !important;
mso-table-lspace:0pt;
mso-table-rspace:0pt;
vertical-align: top;
}
.outlook-com-only {
display: none !important;
font-size: 0 !important;
}
#mso-one-whole {
width: 100% !important;
}
.border-outer,
.border-middle,
.border-inner {
border: none !important;
}
.border-middle,
.border-inner {
width: 100% !important;
}
.mso-border-outer,
.mso-border-middle,
.mso-border-inner {
padding: 1px;
}
.mso-border-outer { background-color: rgb(245, 255, 255); }
.mso-border-middle { background-color: rgb(223, 246, 255); }
.mso-border-inner { background-color: rgb(153, 176, 225); }
</style>
<![endif]--> <table class="container" lang="container" dir="ltr" border="0" cellpadding="0" cellspacing="0" valign="top" style="width:100%"> <tr> <td valign="top" class="message-wrapper" style="color:#222;font-family:arial,sans-serif"> <!--[if mso]><table border="0" cellpadding="0" cellspacing="0" valign="top" style="border-collapse:separate;"><tr><td valign="top"><![endif]--> <div dir="ltr">From: John-Mark Gurney in https://www.metzdowd.com/mailman/listinfo/cryptography<br>Date: April 9, 2020 14:04:18 JST<br>To: Jeremy Stanley <br>Subject: Re: Jitsi versus Zoom<br><br>Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:<br>On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:<br>[...]<br>So, the best thing about Jitsi is that you can self host to ensure<br>the security of the server.<br>[...]<br><br>Well, and it uses standards-based protocols, and you get all the<br>source code, and you have the right to modify and redistribute it,<br>and the ability to run it without having to pay licensing fees to<br>the authors, and... basically all the benefits of relying on<br>free/libre open source software instead of some proprietary platform<br>which you'll at best be able to audit under a nasty NDA and won't be<br>able to legally modify at all if you need (and I say this as someone<br>who's in the process of helping stand up a slightly modified version<br>of Jitsi Meet for an open community who's wary of Zoom and similar<br>closed offerings, the patch we're applying is for integration with<br>another open collaboration tool we use and we're planning to work<br>with the Jitsi maintainers to get that incorporated upstream... try<br>doing that with Zoom?).<br><br>You mean all the auditing that doesn't happen w/ open source software?<br><br>See the recent package distribution bugs in OpenWrt[1], or on <span zeum4c7="PR_1_0" data-ddnwab="PR_1_0" data-wpkgv="true">Debian's</span><br>apt that failed to handle redirects properly[2]...<br><br>Or the [in]ability of OSS authors to distribute software securely?<br><br>Hell, in trying to get OpenWrt installed on a router, I find that if<br>you follow OpenWrt docs to the letter, your initial install can still<br>be MitM'd, even after the recent CVE, and so an attacker could put their<br>own package key and repo in:<br>https://twitter.com/encthenet/status/1248036307147710465?s=20<br><br>Or that dnsmasq is distributed in an unauthenticated manner. Yes,<br>the author signs his repo, but there isn't a link to his PGP key<br>anywhere, and so, if I just fetch "his" key that is from the repo<br>off a random key server, that isn't secure, because an attacker could<br>upload their own key that they signed the repo w/ that contains his<br>email address and look totally legit.<br><br>You mean that OSS?<br><br>We aren't even talking about complicated parts of software, the<br>simple distribution can't even be handled in a secure manner, and<br>people expect them to get more complicated parts correct?<br><br>I don't have the time or money to pay for even a half assed audit of<br>Jitsi.<br><br>There's something to be said to have a company that has people who<br>are paid to distribute and keep software secure.<br><br>[1] https://nvd.nist.gov/vuln/detail/CVE-2020-7982<br>[2] https://www.debian.org/security/2019/dsa-4371<br><br>--<br> John-Mark Gurney <br><br> "All that I will do, has been done, All that I have, has not."</div><img align="left" width="0" height="0" style="border:0;width:0px;height:0px" src="https://track.mixmax.com/api/track/v2/BwpaaT9E0UwMYakxx/i02bj5CbpFWbnB0c55WYw12bjlnI/IyZy9mLoNWZ052bpRXYyVmYpxmLzR3cpxGQ0xmI/gIUxkI?sc=false" alt=""> <!--[if mso]></td></tr></table><![endif]--> </td> </tr> </table> </body> </html>