Jitsi On Premise

Jitsi is an audio/video and chat communicator that supports protocols such as SIP, XMPP/Jabber, IRC and many other useful features. Audio java chat video irc sip xmpp 7 packages Java Apache-2.0 876 3,335 188 10 Updated 18 days ago ice4j. Jitsi lets you log into several chat accounts at once. Fill out the username and password for the accounts you already have. If you don’t have any accounts with the providers listed, create a new account by clicking on one of the “Not registered yet” links. After filling in the username and and passwords for the accounts you want to use.

Jitsi Meet is an open source video conferencing solution which allows users to setup and share video conferences from a single web page with no apps or downloads necessary. In addition to video conferencing provides telephone dial-in, screen sharing, recording, white boarding, collaborative editing of documents, chat and support for 25 languages.

Getting it setup on your own VPS literally takes less than 15 minutes (we timed it!).

1. Size your server

First setup your VPS instance. Here we’re choosing the cheapest Digital Ocean VPS with 1GB RAM, 1CPU and only 25GB of storage. Jitsi isn’t particularly storage hungry so unless you’re setting up recording you can get away with a small sized disk. This one was able to handle our 6 person video call with 50-75% CPU usage, 50% RAM usage and 20-30Mbps bandwidth. We wouldn’t ordinarily recommend such a small VPS but for small companies it should be fine:

Make a note of the IP address of your VPS, in our case it’s 134.122.106.161.

Jitsi On Premise

2. Setup your firewall

A single box instance of Jitsi Meet will need the following inbound ports open:

Premises

3. Configure DNS for your domain name

In the DNS dashboard of your domain name registrar setup a DNS A record for your Jitsi server which points to the IP address of your VPS. In our case we’re using jitsi.brring.com as our fully qualified domain name (FQDN) and pointing it to the IP address of our VPS 134.122.106.161.

This will be used to setup our free Let’s Encrypt SSL certificate, securely encrypting and protecting our Jitsi server and will also allow us to access Jitsi from https://jitsi.brring.com.

Jitsi On Premise

At this point you should be able to SSH to your server by DNS name if DNS is correctly setup.

It can take some time for DNS to propagate but in our case it was almost instant.

Hostname configuration

Edit the /etc/hosts file on your VPS to point to your new domain with vi /etc/hosts or nano /etc/hosts (if you must).

Next update the hostname in /etc/hostname. Set it to the first part of the fully qualified domain name which in our case is:

Reboot your VPS for the hostname changes to take effect.

4. Installing Jitsi

First add the Jitsi repository key onto your system by running from the command line:

Next we’ll create a sources.list.d file with the Jitsi repository. We’re using stable but if you want to switch to the unstable branch simply swap unstable for stable and run:

Update your package list with the below:

Now we install the Jitsi-Meet meta package itself which includes all of its components:

Enter the FQDN of your VPS instance. In our case it’s jitsi.brring.com:

We’ll say yes to Generate a new self-signed certificate – we will get a chance to generate a proper Let’s Encrypt certificate shortly:

6pm est in utc.

5. Setup Let’s Encrypt

Jitsi comes with a handy script to setup Let’s Encrypt – simply run from the command line:

You’ll be asked for an email – Let’s Encrypt will use this to automatically send you expiry notices when your certificate is coming up for renewal.

Provided your DNS settings are correct and have propagated (it can take a few hours absolute worst case) your SSL certificate should have successfully generated.

If not, wait and re-run the script.

6. Test it out

With all that done, testing is simple – simply visit your new domain which in our case is https://meet.brring.com and start your first Jitsi video conference call:

If you’d like us to setup a similar solution or a server with your own branding feel free to get in touch.

This is the final post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Skype for Business and Jitsi Meet. Posts still to come over the next few days will dive into Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet & BigBlueButton.

To read about our approach to this analysis, understand the target security model we applied, or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail for Cisco Webex or Cisco Webex Team, please read on.

.

Skype for Business

Skype for Business (previously Microsoft Lync and Office Communicator) is a proprietary instant messaging platform developed by Microsoft as part of the Microsoft Office suite. It includes audio, video, chat and file transfer functionality. Skype for Business is integrated in the Microsoft Office suite, notably with Exchange and SharePoint.

Features

This solution initially required the installation of an on-premise Skype server, as well as the set-up of a client on the workstation, but is now integrated into the Office 2019 or 365 suite and is available in the cloud in SaaS mode via Teams. The solution is available on the most popular platforms (Android, iOS, Windows, MacOS) but not GNU / Linux.

Skype interfaces with Exchange to manage the calendar, meetings, presence indicators and document sharing.

Skype for business is charged but the license is included in most of the license packages with Microsoft.

The on-premise version requires the deployment of servers and several software components, including the .NET Framework, Microsoft Server, Microsoft SQL, etc. which are all required on each server. Along with complex network and firewall installations, deploying Skype onsite could be challenging for SME’s.

In September 2017 Microsoft announced that this solution will be abandoned in favor of Microsoft Teams, a new collaborative platform based in the cloud. It is therefore perhaps not a long-term solution.

Results table

Encryption
Uses an appropriate encryption algorithmFullySkype for Business uses TLS and MTLS to encrypt instant messages. All server-to-server traffic requires MTLS. Media traffic is encrypted using Secure RTP (SRTP), a profile of Real-Time Transport Protocol (RTP) using the Advanced Encryption Standard (AES).
Uses a strong encryption keyFullySkype for Business Web Conferencing server encrypts customer data using AES with a 256-bit key.
Data is encrypted in transit under normal useFullySee https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online
Data stays encrypted on provider serversUnclearSee https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online
Voice, Video and Text are all encryptedFullySkype for Business uses TLS and MTLS to encrypt instant messages, and media traffic is encrypted uses Secure RTP (SRTP) using the Advanced Encryption Standard (AES)
File transfers & session recordings are encryptedFullySee https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE)PartiallyMicrosoft owns the encryption keys by default. However, customers can provide their own key to encrypt data at rest if they wish.

A full on-premise version is available via Skype for Business Server.

See https://docs.microsoft.com/en-us/microsoft-365/compliance/customer-key-overview?view=o365-worldwide

Encryption implementation has withstood scrutiny over timeFully
Authentication
Administrators can define password security policiesFullyManaged by Azure AD.

See https://docs.microsoft.com/en-us/azure/active-directory-domain-services/password-policy

Supports MFA as defaultFullyModern Authentication is the Microsoft implementation of OAUTH 2.0 for client to server communication. It enables security features such as Certificate Based Authentication, Multi-Factor Authentication, and Conditional Access.

See https://docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/security-guide-for-skype-for-business-online

Can integrate with Active Directory or similarFully
Can integrate with SSO solutions via SAML or similarFully
Offers RBACFullySee https://blog.insideo365.com/2016/04/managing-skype-for-business-online-administrator-rights/
Allows passwords to be set for meetingsNo
Allows meeting password security policies to be setNo
Jurisdiction
Headquarters addressUSAOne Microsoft Way, Redmond, Washington, U.S.A
The vendor cannot technically access any data without the client’s consentPartiallyMicrosoft owns the encryption keys by default. However, customers can provide their own key to encrypt data at rest if they wish.
A full on-prem version is available for users who don’t want to trust the vendorFullyhttps://info.calltower.com/blog/skype4b-online-vs-server-edition
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed inUnclearMicrosoft do offer a feature called Multi-Geo, however it is only available for Exchange Online and OneDrive, SharePoint Online and Microsoft 365 Groups.

See https://www.microsoft.com/en-gb/microsoft-365/business/multi-geo-capabilities

Complies with appropriate security certifications (e.g. ISO27002 or BSI C5)FullySee https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home
Complies with appropriate privacy standards (e.g. FERPA or GDPR).FullySee https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home
Provides a transparency report that details information related to requests for data, records, or content.FullySee https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc.PartiallyThere is a lobby feature.

See https://support.microsoft.com/en-us/office/change-participant-settings-for-skype-for-business-meetings-9175e297-de5f-43b2-8e0f-85cc05e24986

Allows granular control over in-meeting actions like screen sharing, file transfer, remote control.FullySee https://docs.microsoft.com/en-us/skypeforbusiness/set-up-policies-in-your-organization/set-up-conferencing-policies-for-your-organization
Offers clear central control over all security settingsFullySee https://techcommunity.microsoft.com/t5/microsoft-teams-blog/announcing-the-new-microsoft-teams-amp-skype-for-business-admin/ba-p/179534
Allows for monitoring and maintenance of endpoint software versionsPartiallyManaged by other Microsoft services if on a Windows device.
Provides compliance features like eDiscovery & Legal HoldFullySee https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide and https://docs.microsoft.com/en-us/exchange/policy-and-compliance/holds/holds?view=exchserver-2019
Auditing and ReportingFullySee https://docs.microsoft.com/en-us/skypeforbusiness/skype-for-business-online-reporting/skype-for-business-online-reporting
Additional content security controls like DLP, watermarking, etc.UnclearMicrosoft 365 does offer a data loss prevention service but it is not clear to us whether this would apply to Skype for Business.

See https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide

Vulnerability Management
Percentage of NVD 20190.02
Percentage of NVD 20200.00
Vendor discloses which vulnerabilities have been addressedPartially
Vendor runs a bug bountyFullyhttps://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud?rtc=1

Encryption

By applying a standard set of security mechanisms (OAUTH, TLS and Secure Real-Time Transport Protocol (SRTP), data on Skype Business Server is protected over the network[1].

Network communications are encrypted between clients and the server. Encryption keys are owned by Microsoft by default, which is therefore technically able to decrypt client data, even when fully encrypted.

Skype voice messages are encrypted on Microsoft servers, but may not be when they are downloaded to a user’s endpoint. Calls placed to or from the PSTN (the ordinary phone network) are, of course, not encrypted.

In order to avoid compromised-key attacks, the keys used for Skype media encryption are exchanged over TLS connections. Skype for Business servers like the one used for chat use HTTPS to enhance the security of web traffic. Communications are therefore not encrypted end-to-end.

In 2018 Microsoft announced that it would start using the Signal Protocol by Open Whisper Systems to provide full end to end encryption for private conversation via a new via the ‘Private Conversation’ feature for the Skype personal application. The feature is available for all users on Skype iOS, Android, Linux, Mac, and Windows Desktop, but it does not appear that it is available in Skype for Business also.

Authentication

Authentication is via an internal AD account. Azure Active Directory (AAD) provides a single trusted back-end repository for user accounts. Skype for Business Server includes server-to-server authentication using the OAuth protocol.

Applying Modern Authentication – the Microsoft implementation of OAUTH 2.0 – for client to server communication enables security features such as O365 Certificate Based Authentication, O365 Multi-Factor Authentication and O365 Conditional Access[2]. Phone calls, text, One Time Pin or Mobile App Notification are all supported as second factors.

Jurisdiction & Regulation

Like Teams, Skype inherits many of Microsoft’s cloud security maturity, including compliance with most relevant security standards. This means it meets ISO 27001 and 28018 Standards, is both SAAE16 SOC 1 and 2 Compliant, HIPPA Compliant, and meets EU Model Clauses compliance regulations[3]. We could not find any reference to Skype and BSI C5 compliance.

However, Skype is a solution delivered by Microsoft, which falls under the jurisdiction of the United States government. Encryption keys are owned by Microsoft, which is therefore technically able to decrypt client data. Although this would be much less of a concern with an on-prem deployment. This may be of concern to clients operating outside the U.S.A.

If the organization is using the cloud version of Skype for Business then the data will be stored in the organization’s geographic zone, like the rest of the O365 services.

Security Features and Management

Skype for Business Server provides role-based access control (RBAC) to enable you to delegate administrative tasks while maintaining high standards for security.

An administrative portal is available to control security features like the ‘lobby’ and define policies for features like recording and file sharing.

Skype for Business, as well as other Microsoft services, complies with Microsoft Security Development lifecycle that includes the design of an evolutive threat model and the test performances on a regular basis.

Vulnerability & Exploit History

The NIST National Vulnerability Database records 4 vulnerabilities for Skype for Business and Skype for Business Server since the beginning of 2019:

Jitsi Server On Premise

YearReportedNVD TotalPercentage
2019417,3080.02%

All four these vulnerabilities were rated ‘Medium’ severity and, although vulnerabilities in the full range of Microsoft technologies are constantly being discovered and attacked, it would be fair to argue that Microsoft has robust processes and has developed a strong reputation in this regard.

Jitsi Meet

Jitsi is a free, open-source, instant messaging, audio and video conference application. The solution can be connected to other systems like Google Hangouts, thus allowing interactions with people on other messaging systems. It allows users to make calls on the Internet but also to landline phones and mobile phones.

Features

In our opinion the solution offers more than satisfactory audio and video quality, with no latency observed. Jitsi Meet leverages WebRTC[4] and HTML5[5], which work directly in conventional web browsers, so there is no need to install software even for iOS and Android.

Jitsi server is available as packages for Ubuntu and Debian Linux. It is also possible to install the server on Windows or MacOS devices as a virtual machine.

The solution is also highly interoperable with other messaging and communication systems.

On the downside, the solution requires a dedicated server or servers because the load rises very quickly with the number of users. Installation is within the user’s own infrastructure, which means a complex configuration and continuous upkeep of the servers. Automatic installation exists under certain distributions, but not all, and we would caution that manual set up is not for everyone and might quickly become complex.

Results table

Encryption
Uses an appropriate encryption algorithmFullyAll communication between the clients and HTTPs, the media is encrypted by WebRTC. WebRTC mandates SRTP-DTLS to be used. SRTP uses Advanced Encryption Standard (AES) as the default cipher. See https://www.callstats.io/blog/2018/05/16/explaining-webrtc-secure-real-time-transport-protocol-srtp

Galois/Counter Mode (GCM) is not enabled by default yet as of April 2020.

See https://github.com/jitsi/jitsi-meet/wiki/Jitsi-Meet-Encryption

Uses a strong encryption keyFullyWebRTC sends real-time audio and video over SRTP (Secure RTP). TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite and the P-256 curve are the mandatory to implement scheme.

See https://bloggeek.me/is-webrtc-safe/

Data is encrypted in transit under normal useFully
Data stays encrypted on provider serversNoJitsi Meet uses a P2P mode when there are just 2 participants in a call, providing end-to-end encryption.

When there are more than 2 participants the media gets routed through a Jitsi Videobridge. Then encryption is done hop-by-hop. That is, media is decrypted by the bridge and encrypted again when sending it out.

See https://github.com/jitsi/jitsi-meet/wiki/Jitsi-Meet-Encryption

Voice, Video and Text are all encryptedFully
File transfers & session recordings are encryptedPartiallyFile transfers will be encrypted by virtue of the WebRTC connection. As far as we can tell stored recordings are not encrypted by the application.
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE)N/AJitsi Meet, for the purposes of this assessment, is an open source self-hosted solution.
Encryption implementation has withstood scrutiny over timeFully
Authentication
Administrators can define password security policiesNoAccounts, and therefore passwords, are not required, but can be implemented via an LDAP integration.
Supports MFA as defaultNo
Can integrate with Active Directory or similarFullySee https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication
Can integrate with SSO solutions via SAML or similarFullySee https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md
Offers RBACNoBy default, all participants can kick or mute others. If Secure Domain is configured, then only the host has moderator privileges.

See https://community.jitsi.org/t/moderator-permissions/24745

Allows passwords to be set for meetingsFullySee https://jitsi.org/security/
Allows meeting password security policies to be setNoWe could not find any reference to meeting password policies.
Jurisdiction
Headquarters addressN/ASince Jitsi Meet is an open source and free solution, the applicable laws depend on the laws of the country that decided to implement the solution.
The vendor cannot technically access any data without the client’s consentN/AThere is no vendor as this is likely to be a self-hosted solution
A full on-prem version is available for users who don’t want to trust the vendorFullyJitsi Meet is primarily designed to be an on-prem solution.
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed inN/A
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5)No
Complies with appropriate privacy standards (e.g. FERPA or GDPR).PartiallyThe way the software works means that very little personal data is collected, making it easier to comply with GDPR.

See https://jitsi.org/meet-jit-si-privacy/

Provides a transparency report that details information related to requests for data, records, or content.No
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc.NoIf Secure Domain is configured, then participants cannot join until the host creates the room. However, a full waiting room feature is due to be released imminently.

See https://community.jitsi.org/t/lobby-waiting-room/27752/45

Allows granular control over in-meeting actions like screen sharing, file transfer, remote control.NoWe could not find mention of this type of control.
Offers clear central control over all security settingsNoThis is not available as by default no user accounts are used.
Allows for monitoring and maintenance of endpoint software versionsNoDesktop clients are available but are not managed by the product. Mobile client apps will update automatically from their app store.
Provides compliance features like eDiscovery & Legal HoldNoThere is no reference to these features, furthermore data is only stored for the duration of the meeting and is then destroyed.
Auditing and ReportingPartiallyJitsi Meet does allow some reporting on statistics.

See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/statistics.md

Additional content security controls like DLP, watermarking, etc.PartiallyThere is the ability to change the existing jitsi.org logo watermark to one of your own, this will then display on all meetings.
Vulnerability Management
Percentage of NVD 20190.00
Percentage of NVD 20200.01
Vendor discloses which vulnerabilities have been addressedFullyThere are no vulnerabilities recorded for Jitsi Meet in the NIST National Vulnerability Database in the period since the start of 2019. However, a medium-severity security bug was recorded with NIST in 2017. As of April 29, 2020, another potentially serious vulnerability is under consideration by NIST. Jitsi has also been impacted by vulnerabilities in other third-party software it leverages.
Vendor runs a bug bountyNoAs Jitsi Meet is open source there is no vendor as such, any issues would be reported and resolved by the community involved with it.

Encryption

Jitsi offers two modes of operation:

  • For two people in conversation, the automatic configuration is “Peer-to-Peer”. In this mode the link is directly established between the two people and the encryption is end-to-end.
  • For more than two users, or if “Peer-to-Peer” is unavailable, the encryption mode changes. Communications between the client and the server are encrypted, but the encryption is not properly “end-to-end”.

The security of the server hosting the solution is the responsibility of the organization. Jitsi Meet is available from various providers as SaaS, in which case the communications security also depends on the security provided by the hosting solution.

Our understanding is that Jitsi plans to support full E3EE via WebRTC in a future release, but the timelines and details are not clear yet.

Authentication

Jitsi has a different approach to security and privacy than the others discussed here. By default, it does not require users to create an account, and any information users do choose to enter (name, e-mail, etc) is optional and shared exclusively with other meeting participants. There is no notion of ‘authentication’ in the default operating mode.

However, it is possible to adapt Jitsi’s configuration to interconnect it to a LDAP system or even enforce strong authentication via third party Multi Factor Authentication systems like PrivacyIDEA[6]. It is also possible to add a SAML authentication by installing some additional packages.

The integration of these authentication methods requires sometimes significant adaptation of the default installation[7].

Jurisdiction & Regulation

The Jitsi application is part of a list called “SILL” of free software approved by the French state for government use, which has been maintained by the French state since 2016.

Like BigBlueButton, Jitsi is free and Open Source software. The applicable jurisdiction therefore depends on the country in which the solution and data are hosted. Thus, if the security level of the solution is compliant with laws in some countries, this will not be the same in every country.

Jitsi Meet On Premises

The way the software works means that very little personal data is collected, making it easier to comply with GDPR. But to comply with regulations like HIPAA or GDPR, low-level configuration changes need to be made. The solution is published under the Apache v2 License[8], which makes these kinds of changes possible.

Security Features and Management

Jitsi rooms are ephemeral, which means they only exist while the meeting is taking place and are erased when the last participant leaves. Jitsi allows users to set a meeting password but does not provide functions to share the password automatically, for example through an invitation e-mail. Chat logs or stats are kept for the duration of the meeting and then destroyed.

One advantage with Open Source options like Jitsi and BigBlueButton is that they are open source software, meaning it is theoretically possible to audit the source code of the application and to validate it, or even potentially to make changes to it.

Vulnerability & Exploit History

There is one vulnerability recorded for Jitsi Meet in the NIST National Vulnerability Database in the period since the start of 2019.

YearReportedNVD TotalPercentage
202018,0220.01%

However, a medium-severity security bug was recorded with NIST in 2017. As of April 29, 2020, another potentially serious vulnerability is under consideration by NIST. Jitsi has also been impacted by vulnerabilities in other third-party software it leverages.

1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet

Sources

[1] https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/security/tls-and-mtls
[2] https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/topologies-supported
[3] https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview
[4] https://en.wikipedia.org/wiki/WebRTC
[5] https://en.wikipedia.org/wiki/HTML5
[6] https://github.com/jitsi/jitsi-meet/wiki/LDAP-Authentication
[7]https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md
[8] https://www.gnu.org/licenses/lgpl-3.0.en.html

Authors

Head of Security Research

Charl van der Walt

Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.

Senior Consultant Cybersecurity

Quentin Aguesse

Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialised in risk assessment , disaster recovery planning, as well as cybersecurity awareness.

Consultant Cybersecurity

Jérôme Mauvais

As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along his career for his great capacities of knowledge transmission.

Jitsi On Premise Requirements

Lead Security Researcher (MSIS Labs)

Jitsi On Premise

Carl Morris

Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.

Install jitsi on premise

Jitsi On Premise Docker

Share