Jitsi, an open source rival to Zoom, Microsoft Teams, and Google Meet, has started its process of building end-to-end encryption features.
- Jitsi, an open source videoconferencing app that Atlassian sold to 8x8 in 2018, is poised to introduce end-to-end encryption on its platform.
- Currently, rivals like Zoom, Microsoft Teams, and Google Meet do not use end-to-end encryption.
- Emil Ivov, head of video collaboration at 8x8, says that Jitsi has always been security focused, which is more important now than ever as attacks like "Zoombombing" becomes a bigger issue during the coronavirus pandemic.
- Visit Business Insider's homepage for more stories.
Ever since the coronavirus crisis erupted, 8x8's open source video conferencing platform Jitsi has seen a major increase in demand, the company says. Now, it's taking the first steps to become more secure than any of its competitors.
Since Atlassian sold Jitsi to communications company 8x8 in 2018, the platform powers 8x8's Video Meeting product, which has customers like Comcast, Greenpeace, and WeSchool, which has connected 500,000 educators and students in Italy during the coronavirus pandemic.
Jitsi has nearly 12 million monthly active users. That's an admittedly small number compared to giants like Zoom (200 million daily active users), Microsoft Teams (44 million daily active users), and Google's video product, Meet (which said in early April that it had two million new users every day, though it has not reported its total users).
Still, there's one area where Jitsi aims to set itself apart from its larger competitors: Security.
None of its rivals currently support end-to-end encryption, the most private form of communication where only the people participating in a conversation have access to it and potential eavesdroppers aren't able to understand the data. Zoom previously said it supported end-to-end encryption, but walked back those claims and changed its wording after The Intercept reported that it was misleading users.
While Jitsi doesn't offer end-to-end encryption for its meetings yet, it's embarking on a path towards doing so using standards from the open source communication software project WebRTC. Jitsi has published its plans and called on cryptographers to look at them and provide comments and suggestions. From there, Jitsi will review those comments to help it improve its proposed process before implementing it.
Bringing end-to-end encryption to Jitsi will be a massive undertaking — it will need to build robust authentication features and encryption key management processes — but Emil Ivov, the product's founder and head of video collaboration at 8x8, says that the company is ready for the challenge.
"It's a very complex problem but we're confident we'll get it," he told Business Insider.
While Jitsi published a long post about its process, Ivov mentioned two ways it plans to implement end-to-end encryption:
First, while Jitsi is competing with Google, it's using some of the company's security tools, too. Jitsi plans to use an API called called "Insertable Streams" that Google recently launched in conjunction with other features that it's building in-house. The API scrambles up video and audio in streaming, so that no third party – including the service provider – will be able to understand it and spy on people in the meeting.
Ivov says that Jitsi also plans to use the Double Ratchet Algorithm, which is used by the encrypted messaging app Signal.
A focus on security from the beginning
Ivov started Jitsi while working on his PhD at Louis Pasteur University in France. Jitsi is an open source project, meaning that it's free for anyone to use, download, or modify. Soon enough, a community of developers started using it and building upon it.
Ivov and other teammates then started the company around the project called Blue Jimp, which Atlassian acquired in 2015. Atlassian sold Jitsi to 8x8 in 2018 when it decided to exit the videoconferencing space.
Today, Jitsi's open source code has over a million downloads and has been used for video conferencing in banking, education, and home security applications.
Ivov says that being open source is one of Jitsi's greatest strengths.
"From a security perspective, this is the only way you can truly know if you can trust something or not," Ivov said. "Unless you're open source, how else are you going to know this thing is secure?"
When software is open source, a user can peruse the code and verify themselves how secure it is, or trust that other people have already checked, he says. Misleading marketing isn't as effective with open source, since someone can more easily check the claims against the code. Also, with an open source project, there's an entire community of developers to collaborate on making the product as secure as possible.
Even before it rolls out end-to-end encryption, Jitsi has other features that make it more secure than competitors, Ivov says.
For example, a threat called Zoombombing has become popular during the coronavirus pandemic, where bad actors access meetings by correctly generating the URL and password. Jitsi is trying to mitigate the potential for these kinds of attacks in several ways: It provides a random meeting name generator that helps users pick hard-to-guess meeting names.
It also doesn't require meetings to be created in advance.
"For many platforms out there, in order to have a meeting, you have to create it first," Ivov says. "They end up being discoverable."
It can create meetings that are only active once the first person enters the meeting and deactivate when the last person leaves, giving bad actors less advance time to break in.
Finally, Ivov says that Jitsi also balances security with ease of use. Unlike Zoom or Microsoft Teams, users don't need to download anything when they want to use Jitsi.
"We specialize a lot in removing friction," Ivov said. "We want to make sure there's going to be nothing for you to download. It works in your browser."
Got a tip? Contact this reporter via email at email@example.com, Signal at 646.376.6106, Telegram at @rosaliechan, or Twitter DM at @rosaliechan17. (PR pitches by email only, please.) Other types of secure messaging available upon request.