Jitsi’s a useful chat or conferencing tool — but be wary of these two things

  • tl;dr Give your chats random, difficult-to-guess urls, and don’t think setting a password makes everything secure

Let me start by saying: I use Jitsi regularly, I like it, and I think it’s a good thing that there’s an open-source alternative to the really big players.

Also, if anyone knows of a simple way for occasional users of it to avoid these issues, let me know (my DMs are open).

I started using Jitsi a couple of years ago, and like the simplicity and the functionality that’s impressive for a free platform.

One of the things I didn’t like for a while was the bizarre auto-generated urls you got for your chats, which usually (but not always) took the form AdjectivePluralnounVerbAdverb:

Image for post
Image for post

So I was quite pleased when I noticed recently that that was not actually necessary:

Whether this is a recent development, or was always the case and I just hadn’t noticed, I don’t know. But now it was apparent that you could simply and quickly create whatever url you wanted, as long as no one else was currently using it.

This seemed great for branding, but could be… problematic.

Being able to name your chat whatever you want gives you the opportunity to do things like this:

Image for post
Image for post

The underscores are useful, so that when your chat is created, the spaces appear in the right places in the on-screen caption (apologies to Her Majesty’s Government):

Image for post
Image for post

It doesn’t take much imagination to see the potential for pranks, social engineering and identity theft. With a bit of work on backgrounds, and a convincing spiel, a target could be convinced they’re speaking to a media outlet, a major corporation or an NGO.

You can restrict access to chats, though. Once you’ve set it up, you can set a password:

Image for post
Image for post

However, this password does not survive if everyone leaves the chat. Meaning anyone who has the url can use it to re-enter — and then set their own password, effectively locking everyone else out until they leave.

Even more problematic than that is something that is available to anyone on the chat:

Image for post
Image for post

Yes, once you are in a chat, this option is available. I thought at first I must surely be mistaken with this, so I tried it with my friend and colleague Tom.

I set up a chat, set a password, and then sent Tom the url and the password. He entered the chat, and did indeed get the option to remove the password. As soon as he did that, and set a new one, I got this notification on my screen:

Before I got the chance to raise with him how odd this function seemed, he spotted this:

Image for post
Image for post

And I was promptly out of the chat that I had set up — and that I had set the original password for.

I had done nothing more than allow Tom to join the chat; after that he was free to remove my password, change it to one of his own, and then unceremoniously boot me out.

So, to sum up, I do use Jitsi a lot, and I will most likely continue to use it. I would love if they could address the issues mentioned here. But for now, the key takeaways are:

  1. Don’t let the title on a chat persuade you of the bona fides of its host;
  2. If you don’t want people finding your video conference, accidentally or otherwise, give it a random, difficult-to-guess url. Also, do not share this url openly online;
  3. Do not regard setting a password as equating to your chat or conference being “secure”.

Happy chatting

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store