Code questions about Security research, recommendations for where to start

[tseeling]

Hallo dear community,

I'm working in a government project where we provide video conferences for german schools (underage students). Our security staff now has some additional questions about the inner workings of the Jitsi Meet client, i.e. the part that runs in the browser. I'm not expecting answers to the questions right away, more like some basic recommendations where to start. I'm familiar with some programming languages, including JS, but not with frameworks like node.js. We've already been looking in the OWASP recommendations and did our due diligence there.

Questions I was asked are:

• During a conference a user can add a gravatar account. Would it be possible to inject some malicious image there which could harm someone, possibly even other participants of that conference?
• How is the conference password handled when set? Would a side-channel attack (like spectre etc.) be able to snoop on the password from a neighbouring VM? How is it stored in memory? Obviously it needs to be available for the whole duration of a conference.
• Could session IDs/cookies be stolen and misused? (We already have hardening for XSRF on our web server)
• Is there data sanitization for input data, video, audio, images?
• Are there best practices to prepare for DoS attacks?

Thanks very much, Stay safe.

[saghul]

• During a conference a user can add a gravatar account. Would it be possible to inject some malicious image there which could harm someone, possibly even other participants of that conference?

I don't think so. We attach the gravatar URL to an <image> tag. If that could lead to a security issue it would be a browser bug, not something our app can do anything about.

• How is the conference password handled when set?

It's sent by the user in an XMPP message which is sent over a TLS connection.

• Would a side-channel attack (like spectre etc.) be able to snoop on the password from a neighbouring VM?

I don't think so, you'd need to decrypt the TLS connection first.

• How is it stored in memory? Obviously it needs to be available for the whole duration of a conference.

This is done by Prosody, which is written in Lua and stores them in memory attached to a Lua object. I'm not expert enough to tell you if there are any security implications there.

• Could session IDs/cookies be stolen and misused? (We already have hardening for XSRF on our web server)

If you are using JWT then a leaked token would grant an attacker access to the meetings the token provides access to. We don't send the token anywhere (other than our backend). Still, making sure tokens have limited scope (one meeting, and a set duration) are good practices.

• Is there data sanitization for input data, video, audio, images?

At what layer?

• Are there best practices to prepare for DoS attacks?

XMPP stanza limits are a good thing to turn on, our default config contains some sane defaults.

Hope that helps!

[holzi1005]

Hi @tseeling, in the beginning, we had the same questions in a similar use case in Germany. Therefore, we developed another Open Source Project to protect the conferences. Maybe the https://github.com/H2-invent/jitsi-admin is something for you for the evaluation, increase the security of the conferences, and simplify the organisation of the conferences.

[saghul]

That looks cool! Mind sending a pr adding it here? https://jitsi.github.io/handbook/docs/community/third-party-software

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.