[PLUG] Spotting a fake web service
Ben Koenig
techkoenig at gmail.com
Fri Mar 27 13:18:10 UTC 2020
On Fri, Mar 27, 2020 at 12:48 PM Rich Shepard <rshepard at appl-ecosys.com>
wrote:
> On Fri, 27 Mar 2020, Ben Koenig wrote:
>
> > Out of curiosity, I casually looked this up via an online search and was
> > given 2 hits.
> >
> > FreeConferenceCall.com
> > FreeConference.com
>
> Ben,
>
> Interesting since Michael mentioned only the first and that's what I'm
> considering.
>
> Why not take a look at <https://meet.jit.si/> and see if it meets with
> your
> criteria?
>
>
this is gonna be one of those HTML copy/paste things, so apologies to
everyone using plaintext email clients..
Jitsi is proudly powered by an awesome open source community
<https://github.com/jitsi> — and 8×8 <https://www.8x8.com/>.
Ok.... so putting your code on github doesn't automatically make you more
legit. And 8x8, who the hell is 8x8? Another Ultrageneric telecom company
I've never heard of. Their website blasts me with chat boxes right out of
the gate. I have 2 new messages! How cute.
So lets go look at the code. First, I have to dig for the damn client. They
don't properly categorize what is a client, and what is the server. It's
just one big dump of millenial chest thumping without any real
documentation. Obvious attempts to obscure the code and discourage
accountbility by those of us that don't have a CS degree.... but I found it!
Jitsi-electron is the desktop app. ELECTRON. So they basically just bake
the website into chrome with a disgusting amount of javascript and a build
system that probably won't work if you don't have access to the internet. I
don't trust anything built on electron as far as I can get in the build
process. Which isn't very far, since electron apps require node.js to
build, you don't actually have a whole lot of control over the build
process. The entire system is a CVE waiting to happen. And when it does
happen, what kind of guarantee do we have that it's going to be patched?
Jitsi's application ships an entire browser stack for HTML, CSS, and JS
rendering via chromium with additional whatever.JS hooks for direct access
to your filesystem and hardware. Basically a browser that does things a
browser should NEVER do.
Fails the test, but in this particular area my opinions in this area can be
pretty harsh. The middle ground is probably hiding here somewhere.
-Ben
More information about the PLUG
mailing list