
Jitsi Meet Security and Privacy - buovjaga
https://jitsi.org/news/security/
======
tptacek
Short answer: like Zoom, multiparty Jitsi meetings are encrypted point-to-
point, not end-to-end, and Jitsi can monitor and record your multiparty
meetings.

~~~
klaustopher
... unless you self-host the server. What you can do with jitsi, but not with
zoom.

~~~
moooo99
Then its still not end-to-end encrypted. The difference is that the only point
where its no encrypted is under your control as well. So you're right that
your meetings cannot be recorded if you host your own instance.

Unlike Zoom, Jitsi never claimed that their system was e2e encrypted which is
a huge difference if you ask me. Apparently its a technical limitation of
WebRTC, so I'd assume no webbrowser based solution can be e2e encrypted as of
now. Which is ashame since the browser compatability makes meetings with
people outside your company (or with less tech savy family members) so much
easier.

edit: misunderstoot your point

~~~
klaustopher
Thanks for the clarification!

As your edit already states, not the point I was trying to make, but still,
good to clear this up.

There was interesting discussion yesterday by the devs of mediasoup, why it is
not in webRTC yet:
[https://news.ycombinator.com/item?id=22761816](https://news.ycombinator.com/item?id=22761816)

------
twic
Are there any cryptographic and/or network designs which allow end-to-end
encryption of a group video chat without full meshing?

~~~
folmar
The point is not the crypto, but what WebRTC supports. As of now it does not.
See [https://webrtchacks.com/you-dont-have-end-to-end-
encryption-...](https://webrtchacks.com/you-dont-have-end-to-end-
encryption-e2ee/) for reference

~~~
detaro
Of course WebRTC is only a requirement if you want to be browser-based. And
even then, some solutions use WebRTC data channels for video instead (e.g.
Zoom's web version). They could do it, although you'd of course still be
trusting the server to serve you the right thing.

------
Clamydo
Wouldn't IP multicast (if it were routed by ISPs) be a perfect fit for a
scalable p2p video conference solution? Crypto wise, I guess, a room key could
be negotiated.

------
gfodor
If you are using webrtc in the browser e2e is not possible. Which is why it’s
critical you have the ability to self host such solutions.

~~~
qeternity
What are you talking about? Webrtc has mandatory encryption. The only issue is
using a simulcast middleware server. If you’re doing mesh p2p then it’s e2e.

~~~
gfodor
Obviously - I was referring to when you have a SFU, such as Jitsi and
comparable to zoom.

The concept of e2e encryption doesn’t even make sense in p2p, the fact that
direct communication between two peers is “end to end encrypted” is self
evident. It’s only when there is a central server that talking about e2e as a
concept is relevant.

~~~
qeternity
No? TURN servers relay webrtc traffic and it’s still e2e encrypted

------
m3kw9
Basically same situation technically as Zoom, without the PR fiasco

~~~
m1sta_
Except with Jitsi, the server that can potentially see the traffic is under
your own control.

