[liberationtech] Jitsi versus Zoom
Yosem Companys
ycompanys at gmail.com
Thu Apr 9 07:20:29 CEST 2020
From: John-Mark Gurney
in https://www.metzdowd.com/mailman/listinfo/cryptography
Date: April 9, 2020 14:04:18 JST
To: Jeremy Stanley
Subject: Re: Jitsi versus Zoom
Jeremy Stanley wrote this message on Wed, Apr 08, 2020 at 23:45 +0000:
On 2020-04-08 15:10:45 -0700 (-0700), John-Mark Gurney wrote:
So, the best thing about Jitsi is that you can self host to ensure
the security of the server.
Well, and it uses standards-based protocols, and you get all the
source code, and you have the right to modify and redistribute it,
and the ability to run it without having to pay licensing fees to
the authors, and... basically all the benefits of relying on
free/libre open source software instead of some proprietary platform
which you'll at best be able to audit under a nasty NDA and won't be
able to legally modify at all if you need (and I say this as someone
who's in the process of helping stand up a slightly modified version
of Jitsi Meet for an open community who's wary of Zoom and similar
closed offerings, the patch we're applying is for integration with
another open collaboration tool we use and we're planning to work
with the Jitsi maintainers to get that incorporated upstream... try
doing that with Zoom?).
You mean all the auditing that doesn't happen w/ open source software?
See the recent package distribution bugs in OpenWrt[1], or on Debian's
apt that failed to handle redirects properly[2]...
Or the [in]ability of OSS authors to distribute software securely?
Hell, in trying to get OpenWrt installed on a router, I find that if
you follow OpenWrt docs to the letter, your initial install can still
be MitM'd, even after the recent CVE, and so an attacker could put their
own package key and repo in:
Or that dnsmasq is distributed in an unauthenticated manner. Yes,
the author signs his repo, but there isn't a link to his PGP key
anywhere, and so, if I just fetch "his" key that is from the repo
off a random key server, that isn't secure, because an attacker could
upload their own key that they signed the repo w/ that contains his
email address and look totally legit.
You mean that OSS?
We aren't even talking about complicated parts of software, the
simple distribution can't even be handled in a secure manner, and
people expect them to get more complicated parts correct?
I don't have the time or money to pay for even a half assed audit of
There's something to be said to have a company that has people who
are paid to distribute and keep software secure.
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-7982
[2] https://www.debian.org/security/2019/dsa-4371
John-Mark Gurney
"All that I will do, has been done, All that I have, has not."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ghserv.net/pipermail/lt/attachments/20200409/bf63e312/attachment.html>
More information about the LT
mailing list