Friendly reminder that meet.jit.si is not end-to-end encrypted. So, unless hosting your own instance, using the website or the videoconference integration in Riot means your conversation is routed through an Atlassian-owned server.
Yes, that is correct (except the Atlassian bit, we are owned by 8x8 now).
Currently WebRTC does not provide the necessary tools to make E2EE possible while still being able to use smart video routing techniques such as simulcast and SVC.
There is hope! In order to be able to have E2EE 2 things are needed:
* some metadata must be available without decrypting packets, this is (mostly?) available as RTP packet extensions, called "frame markings"
* an API is necessary to be able to inject one's own encrypting engine in the WebRTC chain, Google is working on this API and hopefully it's available later in the year. Google is calling this "insertable streams": https://www.chromestatus.com/feature/6321945865879552
Worth noting that Riot can be configured to use any jitsi instance, the default option is jitsi.riot.im which is hosted by New Vector on behalf of the Matrix.org Foundation.
To be accurate: no tool that relies on webrtc is end-to-end encrypted. So, no, it isn't. It is encrypted on the wire, just like the other tools mentioned here.
He says that video/audio in calls are end-to-end encrypted when the server is using the default PHP backend, but not the high-performance backend (an optional paid and proprietary enterprise upgrade).
> video/audio is already end-to-end encrypted
> By default with the internal signaling backend audio/video calls (no matter if 1:1 or group) are end-to-end encrypted.
> and without the HPB its always paar-to-peer [sic] and therefor end-to-end encrypted.
> Chat is currently not end-to-end encrypted, only the audio/video of calls are.
Someone mentioned Jitsi's statement and the developer responded:
>> But I don't understand why the Jitsi people write, "WebRTC today does not provide away of conducting multiparty conversations with end-to-end encryption."
That would only be true if I decided to use an additional HPB solution, wouldn't it? But not out of the box.
> Exactly, I guess for better user experience and performance they have a SFU or MCU in place (our HPB is an SFU), and therefor it stops being end-to-end encrypted
Last time I tried it like half a year ago, NextCloud talk was unstable and didn't have any decent client software, it was literally useless to me. I hope they make it better.
As others have pointed out, we use jitsi.riot.im, which is provided by New Vector (the company behind Riot) rather than anything to do with Atlassian/Jitsi/8x8.
We were using this for a while to do meetings for sr.ht, but we recently switched to - believe it or not - Mumble. It's old and unsexy but damn it's reliable.
Mumble is great, we use it lots for working on Secure Scuttlebutt, but we end up using Jitsi for calls between small groups with fast internet because video chat is nice with friends.
I would love to use something like Mumble but with video, although that may just be Jitsi.
Mumble is insanely awesome. It's still my goto app if you don't need video (which is most of the time for me). The only downside (maybe really an upside) is that you need to spend considerable amounts of time and effort setting it up for good audio quality. But the latency just can't be beat.
Audio quality depends on jitter timing. Too low and you get dropouts, too high and you get uncanny valley with the delays and pauses. You should never have to twiddle these settings since internet routing is so dynamic. But things to look at include jitter sample size (20ms is a good start), codec selection (lower bandwidth), and server resource usage (more cpu or ram). I don’t use mumble but ran an asterix server for a decade and these where the three things that mattered most to reduce conference call latency
In this case, it's mostly getting the levels set up and cutoff set up correctly since by default it cuts off when you aren't talking (and thankfully doesn't have AGC). There is a push to talk mode, but most people that I know don't use it.
Same at Snowdrift.coop. We still try jitsi again every once in a while because we'd like to make joining our meetings more accessible to new contributors, or if we want video. However, jitsi quality tends to degrade in meetings with 5+ people or when one person had a bad connection. Not always, but enough where we've wasted meetings due to struggling with tech. In the end, how well it works matters more than how sexy it is, and the reliability of mumble just can't be beat.
Does this work properly on mobile/without headsets for you?
Our problem was that we had way too much echo/reverb, especially when people were not using headsets. Just having one non-headset user killed it for us. IIRC even one user talking into their phone normally (i.e. no "loudspeaker" setting activated on their phone) killed our conversations because people heard themselves talking. I've tried finding a setting that would be OK to use when no headset is available, but I just couldn't get it to become bearable.
I'd really like to use something self-hosted, but I can't control what devices people use, and users are way too used to simple interfaces. I've also tried a self-hosted Jitsi meet instance more than a year ago, which for some reason has much better echo reduction, but it sometimes didn't work for one or two of our colleagues for unknown reasons, maybe because most of us have Firefox, not Chrome, or mobile browsers.
The android app didn't work on my Sony Z1, but I've since changed phones and it seems to work now.
I have an eerie feeling that one of the next major "scandals" in technology will center around companies who learn how to abuse the real-time video/audio capabilities of the browser without disclosing (clearly) to end users the implications.
These days anyone with a bit of programming knowledge can now open WebRTC sessions from the server, decrypt the contents, and multiplex streams back to clients (great for large group video chats). A great capability IMO, but immense potential for abuse by bad actors. I think now is a perfect time for people "in the know" to start educating the public on this.
There was a bunch of abuse that already happened with host candidates, was fixed recently though! [0] Tor also did a bunch of really great work figuring out all the ways you can be fingerprinted.[1]
When I shared [2] a lot of people gave me flack for enabling malware. I don't come from that background, so hard to think 'how can people abuse this technology'
It is too late now to roll back all the WebRTC stuff in the browser now though :) Definitely would be mind blowing how much data is flowing because of it (and how much money is being made because of it).
The Jitsi team is fantastically responsive at answering technical questions about their codebase. Some of the code is showing a bit of its age, but they're constantly renovating and updating it. Thanks for everything you guys do!
In 2020, a company that provides a product for free without a standard business model will be met with skepticism: not just from investors, but from users.
How is jit.si able to do this for free where many other companies charge? Are they monetizing user data? Or trying to upsell some parent company services? Is this an honest-for-goodness non-profit because someone was fed up with video conferencing?
None of these are potentially deal-breakers, but they need to be transparent about why they are doing this for free and what they are getting out of it. In 2020, the understanding of "free" is much more sophisticated than it was in say 2010.
Hey there, Jitsi dev here. Great questions, let me try to clarify.
Jitsi is now owned by 8x8, which has a clear business model. We recently launched 8x8 Meetings, which is a rebranded Jitsi Meet with a few extra bells and whistles.
We (Jitsi) have remained Open Source while navigating through 2 acquisitions (Atlassian and 8x8) and being Open Source is in our DNA. Thus, remaining in this state was always a non-negotiable item during acquisition talks.
> If Jitsi doesn’t make any money, how can it continue to support the project?
> We are fortunate that our friends at 8×8 fully fund the project. 8×8 uses Jitsi technology in products like Virtual Office. The open source community and meet.jit.si service help to make Jitsi better, which makes 8×8 products better, which helps to further fund Jitsi. This virtuous cycle has worked well in the past and should continue to for many years to come.
This is owned by Atlassian. After you submit a pull request they send you a huge contributor agreement saying that all your contributions are owned by Atlassian. Fuck that.
The FSF situation is a bit different, assigning your copyrights to them is making a donation to charity. They also allow you to take back the copyright at any time.
At least originally, the reason for assigning copyright (and signing a waiver) was because there were some high profile cases of employers claiming that some contributions were owned by them when employees did work in their spare time. I believe it was RMS who decided that legally it was just safer to ask for copyright assignment. I believe that he later relaxed significantly on the position, but I think it's still common practice on GNU projects.
it was my understanding that the reason for copyright assignment was that the FSF believed it would be difficult to defend the copyright of a project if it was owned by multiple people.
with several high profile cases in the linux kernel i think this belief has been shown to be overcautious and maybe this has led to a relaxation of the position.
Right, but my original question remains. How would the FSF allow the original copyright holder to claw back the copyright after assignment?
That seems like it would be potentially incredibly disruptive (e.g. if a contributor decides several years after a lot of work has been built on top of the contributed code to claw back the rights), especially because as far as I'm aware there isn't a separate license you give the FSF on a contribution, just the assignment. AFAICT it wouldn't even make sense to give the FSF a license because you don't own the code anymore, the FSF does.
I can't find anything on the FSF website that allows this.
It's part of the agreement you sign with them. The agreements are not public AFAIK, you'll only see them when you contact someone to assign the copyright. Yes it would be inconvenient if someone did that, but that's additional incentive for the FSF to make sure they do the right thing.
Probably a separate license is given to the FSF as a condition for assigning the copyright back. Then having a lot of work built on top of the original contribution would actually help the FSF, because then they'd have standing to enforce copyright on the derived work.
So what's the alternative. I juggle many different video conferencing tools, and most of them require me to install their app, are closed source, and/or only run in Chrome. The closest I've found is Whereby, but that has a limit of 4 people and is closed source, I think.
Is this the same as talky.io (which I've used in the past and liked)? All the same underlying technology as Google Meet, right? WebRTC with some extra magics?
I've used the Jitsi integration with Riot.im a bit on my self-hosted Matrix/Synapse server -- I'm always impressed with what a high-quality and seamless experience it is
I try to use open source tools wherever possible with my team. Can anyone experienced with both share how this compares to Zoom or Hangouts? Is it reliable?
I've been using Jitsi and Google Hangouts for years, and in terms of reliability/quality, I can't really tell any difference. Haven't used Zoom much.
The nice thing about about Jitsi is it's the most simple process I've seen: just tell people to go to a simple vanity URL (URL you get to design) and that's all. I sometimes find Hangouts confusing with all the invitation, accepting, etc.
For people I videochat with often, I just say "jump on Jitsi?", then start typing in URL bar which autocompletes and boom, we're chatting
Bear in mind that your URL is your password, and you might occasionally get randos joining you if it's too simple a URL. Happened to me once at work, got some giggling people whilst we were pairing, they then hung up immediately :)
It's reliable, especially for one-on-ones or smaller groups with particpants that have good bandwidth internet connections. In terms of bandwidth needs it can't compete with Zoom yet. If you have bigger meetings with participants from all over the world, and would like to use video, I wouldn't recommend it at the moment.
We tried jitsi for a while and found it did not perform well for screen sharing in large groups (which we use extensively). We switched to whereby.com (former appear.in) which is not free for group meetings (used to be though) but is much more reliable. Creating new meeting rooms works the same way as in jitsi
I have tried it some time ago and it was pretty good in terms of video quality.
Maybe someone knows, I was searching for something that would allow me to have almost local video quality for a chat app. I don't understand why there's anything that let me do it if I'm sitting on a good wifi and the other person also sitting in the same building on a good wifi. I even don't care about latency much, as long as it's withing couple of seconds. Youtube streamers seems to be doing it somehow, are there options for video chats apps?
Thing is, video conferencing/chat apps use technologies like webRTC (which is basically RTP). They are totally focused on super low latency (< 1s). This is understandable, because you can't have a conversation with multi-second latency.
They achieve this by having sub-optimal, but faster encoding parameters/algorithms and tiny buffers.
If you want better video quality and can live with multi-second latency you need to look at different technologies like RTMP or HLS, which is what youtube/facebook streams do.
I understand they focus on low latency in general, but why it's not customizable and no one allows to tweak/switch what you prefer? Youtube streams etc lack interactivity of videochat. It's just I'm sitting in the same building with another person, on the same wifi with multiple hundreds of megabits/s available to us, using powerful phones/tablets and there's nothing that can deliver good quality of video? Seems weird.
A while back, I built a site around OpenMCU-ru (https://github.com/muggot/openmcu) but due to changes in html5 (keygen deprecation) it's pretty much broken my site.
But I did want to toss this out there as an alternative to jit.si as it is functional to h.264 and sip clients and with some other software fronting it (like Kamailio) could be made to do SRTP and WebRTC with a html5/js sip client.
This looks very similar to appear.in . We used to use appear.in about 7 years ago, when it was open like this. Unfortunately, all of these type of services require some kind of revenue model, and it usually requires them to limit or completely close their "open" versions.
Except for last week (jitsi sucked whenever it was more than two people) we've been doing weekly videocalls for 11 months via meet.jit.si between Hamburg (Germany), Goa (India) & South Cambodia with almost zero issues - we even kicked out webex since jitsi had dial in
From personal experience a few months ago: Firefox works for the essentials, but anything more than webcam video failed. Sharing/synchronised watching of youtube videos or screen sharing only worked on Chrome..
In my experience, even the somewhat disappointing performance of Jitsi is better than Hangouts. My worst case was a video call between Italy, Slovenia, Canada and 3x Korea and while Jitsi struggled, Hangouts was straight up unusable. I don't know whether Hangouts got confused and picked a geo-average server on some island or something, but Jitsi was at least mostly usable.
1) proprietary solutions in the age of surveillance capitalism.
2) offer in-browser cryptography to ensure security. I don't see any end-to-end encryption elements in that. Your data gets essentially delivered to the service. Do we really want that? Haven't the companies like FB already shown you should never trust them with your data? I mean, I'm baffled to see people would go in circles and instead of realizing the fundamental fault (lack of privacy by design), they go for the next vendor who promises not to abuse their data. Well no surprise there, for these services the business model IS the data. And it will never change unless they prove it won't be used by switching on E2EE and allowing anonymous registration and use via Tor.
At least back in the day Jitsi offered E2EE for VoIP and video with ZRTP + SRTP. I'm not sure what the case is now but people, think twice before you sign up to these "free" and fun one-click sites.
Umm what phone are you using? I hope you realize that contrary to what you think Android isn't completely open source and some of the most key parts are owned by probably the biggest enemy of privacy on Earth.
That's what we could call nirvana fallacy. Sure, the stack is never 100% free. But that doesn't mean we shouldn't use free and open source stuff where possible. Plus why should we use something that isn't E2EE by default. It's just FB all over again.
See https://github.com/jitsi/jitsi-meet/issues/409#issuecomment-....