Initiative to harden the security and privacy of Openfire Meetings
astrometrics opened this issue · 2 comments
Again I'm a newbie here.
This issue is an proposal of an initiative to improve and/or make exactly known:
- P2P over centralized connection methods,
- General Security and Privacy.
Some initial suggestions would be:
- Eliminate external (execution time) dependencies such as calling external libraries, pictures, modules, services, etc. All calls should be restricted to the Openfire server.
- Elucidate the exact role of each port group, how to harden the firewall for in the Openfire Server.
- Explore the necessity and usage of the internal Openfire Stun server, and others such as Coturn (if it is needed at all), in a way to make P2P happen as a default when possible.
- Maybe that was done already, but a clear pie recipe for LetsEncrypt and self signed certificates.
- Maximize usage of database as a central repository for data, explore database encryption and hardening (which may be important in the case of a VPS).
- A table of when certain XEPs are being used like Jingle File Transfer (XEP-0234), HTTP File Upload (XEP-0363), etc to maximize or make it clear the usage of P2P.
- etc
Maybe IgniteRealTime team, etc could be the owner of this one, maybe in some other context, as it has some importance. I'll gladly participate.
Thank you for the suggestions :-)
What has been suggested here was the basis of creating openfire meetings in the first place instead of using stand-alone jitsi-meet in a docker container. Most of the requirements stated are implemented or inherited as a consequence of using Openfire as the container.
It would be nice if someone could document the required detail information as a series of wiki pages here or somewhere else at ignite-realtime.