jicofo icon indicating copy to clipboard operation
jicofo copied to clipboard

Published 20 hours ago verified publisher icon jitsi

Documentation: Don't encourage unencrypted passwords for Prosody

Open Bobobo-bo-Bo-bobo opened this issue 4 years ago • 1 comments

Description

The section "Secure domain" of the README.md of this project lists internal_plain as authentication method for Prosody.

This will store passwords unencrypted in the filesystem.

This is insecure (an attack could easily extract the passwords). Instead of internal_plain the method internal_hashed should be used.

The client side implementation of Jitsi Meet / Jicofo supports SCRAM as authentication method (PLAIN is obsolete and DIGEST MD5 is obsolete since 2011 - see RFC 6331 (https://tools.ietf.org/html/rfc6331)).

Upon change Prosody will convert internal_plain passwords to internal_hashed automatically (for memory and sql storage backend) when restarted.

Bobobo-bo-Bo-bobo avatar May 02 '20 09:05 Bobobo-bo-Bo-bobo

This issue can be closed with https://github.com/jitsi/jicofo/pull/468

ref: https://community.jitsi.org/t/user-passwords-stored-in-plaintext/33099/3

luixxiul avatar May 08 '20 05:05 luixxiul

I don't see any more instances of this.

bgrozev avatar Jan 04 '23 21:01 bgrozev