Ironically, this led me to self-hosting Jitsi with the Jitsi Helm chart and putting it behind oauth2-proxy so my friends and I can use it. Deploying Jitsi with the Helm chart is remarkably simple and does not consume that much memory.
If anyone is interested in self-hosting: 2 GB is my RAM usage on idle when running videobridge, web-ui, prosody, and oauth2-proxy atop k3s in its default configuration. You do have to open a stupidly large range of ports to UDP traffic for videobridge, though. With that said, it's been a reliable solution and does not need me or my friends to create $BIGTECH account.
If you're hosting things for internal consumption it's a generally good rule to put the memory burden on the server if you can.
This gets worse if you only have a few calls per month. The cost and management overhead doesn't scale at all.
The "actual" amount of memory that goes into running jvb and jicofo seems to be roughly 600 MB, which is still a lot to some, I guess. But I was able to run a meeting with three people and share my screen with peak memory usage at 2.2 GB -- again, for the whole system.
k3s-server makes up nearly half of the 2 GB idle figure, sitting at about 700 MB of usage (according to the top(1) command I ran for this post).
If 2 GB idle memory usage is too much, then I would say ditch k3s entirely and handle everything with docker-compose, using Nginx as your reverse proxy. That should at least bring the figure down to about 800 MB (jvb, jicofo, prosody, containerd, oauth2-proxy, nginx).
So, who is the OAuth provider?
If you have no cookies or expired ones, oauth2-proxy will take you a page with a simple "Log in with OpenID Connect" button, which then takes you to the login page of the Forgejo instance. If you're not logged in, then you provide your credentials. Otherwise, you get redirected back to Jitsi with cookies that are good for a week.
That’s only slightly more clear, since it just says what’s not happening. Does anyone know what is happening? Does it involve potential violations of law, or is it just the TOS?
Sexually explicit "meetings" wouldn't even be a particularly surprising use case, and 18 USC 2257 has a bunch of carve-outs for service providers.
My suspicion is that there was CSAM or similarly abhorrent content being broadcast in meetings. Unfortunately, this is a class of users which would be drawn to a service which promised anonymity and E2E encryption.
All things you don't want your company to be associated with so you don't name it.
If it would just have been things which are illegal but not that problematic like copyright violations or a bit of (legal, non forced) porn they might have spelled it out.
I'm down to experiment with self hosting, I just feel that most users out there won't be and it'll ding their user count. It might be for the best if it squashes the malpractice they are seeing.
Because... it's not Google? For some people that may be a plus.
I'm not judging, but on my side it's hard to justify using meet.jit.si anymore.
https://jitsi.github.io/handbook/docs/community/community-in...
I hosted my own instance once via digital ocean; they have a preconfigured vps droplet that works pretty much instanously
Also, why exactly did we introduce IPv6 again? Everything today is NAT-within-NAT-within-NAT (much of it using IPv4), and almost nobody has a publicly routable IP address. Was the whole transition just a massive waste of effort?
Suffice it to say there are other things you can do besides just a central relaying server, but it's the most common architecture.
My ISP supports ipv6 and i have it configured - however their software on the router/AP is bad and does not allow setting up a firewall for ipv6. This is inherent with ipv4 NAT (with uPnP disabled). So it forced me to use my own router - still the interface for ipv6 firewall is non-existent, but at least i can write firewall rules manually.
Why do I need firewall on router? Because devices on my network have services open on all interfaces - For example "smart" weather station has web service open for all to see. This is absolutely non-issue when only using ipv4 behind NAT.
Another issue is revealing of internal network topology to outside world - this is something that NAT hides really well.
Through a lot of their code isn't being a middleman but making the video streaming on all clients work, which is easy for some MVP hobby project but hard to make it actually work reliable across the many different devices and software versions used in the wield.
Then there are features like noise filters, background video filters etc.
The days of everybody having exactly one computer with a rarely-changing IP address are over. These days, most people have a phone which changes its IP address a few times a day (when you leave your house and switch from WiFi to cellular and then go back.) If you wanted to be directly reachable, you'd need to share these changes publicly, which would make it pretty trivial to figure out when you leave home, who you visit, which cafes with free WiFi you frequent and which countries you go to for your business trips. The stalking potential here is enormous.
Therefore (just like multicast) you only send your stream once, and every client receives n streams.
I sure wish my (small, rural) ISP finally did. They're still "evaluating" it.
The problem is that there's no money to be made here, so no software is built to take advantage of end-to-end connectivity. Even if you could get IPv6 right now (and you can with tunneling/VPN), what are you going to do with it? Big tech is quite happy with the loss of end-to-end connectivity since it enforces the need for a middleman, and they have no reason to make it easier for you to regain your independence.
The ISP is still "evaluating" IPv6 because there's just no real end-user demand because besides ideology or specific requirements of a technical minority there just isn't any reason for the average user to need it. If tomorrow every OS came with a built-in SIP client that actually worked and there was an actual successful deployment of consumer-grade SIP, demand for IPv6 would skyrocket and the ISP would get their act together or start losing customers over it. But there will never be a built-in SIP client because Big Tech would rather have you use FaceTime or MS Teams or Skype than some open protocol that doesn't require a middleman nor isn't vulnerable to advertising nor tracking.
https://github.com/miroslavpejic85/mirotalk
It's even faster for 1 on 1 conversations, but as others said, if there are too much participants it will be slower.
The demise of end-to-end connectivity brought on by NAT was a boon to capitalists who can now be middlemen and charge rent for it (either in the form of money or "engagement" aka advertising/spam, tracking, etc). They aren't particularly interested in going back to the old standard even if we now have the technology to do so.
Software that can take advantage of end-to-end connectivity is nowadays very rare, so even if tomorrow we magically had full IPv6 deployment worldwide, not much software would take advantage of it and I'm not sure there would be any commercial pressure to develop it.
Even if your Mac and iPhone had IPv6 and were end-to-end connectable, Apple would rather have you use FaceTime with an Apple account rather than just type in the IP address/DNS of the other side and call them directly. Same with all the other tech companies.
If one becomes an associate member of the FSF, one of the perks is access to a Jitsi server that they run.
It's two clicks and you're in, easy peasy. I'm very grateful. I give classes over webcam and it does not let me down.
We’ll keep moving forward making (hopefully) the best open source meetings tool out there.
To answer a few recurring questions:
- Only the first user needs to be authenticated
- This change does not affect the self-hosted deployments, you can choose what auth (or none at all) to use
Is it the first user to join the meeting (so it could be the host or a guest)? Or is it the person who created the room (and may likely be the first person to join the room)? I’m glad to get this answer here, but it’d be useful to document this on your help or support pages and share the link as well.
Since the room won’t start without users, the first one will need to log-in or wait for someone else to do so.
The beauty of Jitsi Meet was that any URL was a valid room. That was such great UX.
Of course, other Jitsi Meet instances still exist. But this will probably still influence the project's direction.
Not great, but it does at least give some accountability.
There's still plenty of other instances out there, and it would give a far less ambiguous message if they just pointed people to community-maintained instances.
Moving to a "we only serve Google/MS users" while claiming a focus on privacy definitely doesn't send out the right message
Imo the problem here is a failure of law enforcement on the internet. IP addresses + timestamps can be tracked to a subscriber, but apparently it's so ineffective that, rather than allowing pseudonymity (only knowing your IP address) for all countries that fight digital crime (I imagine child abuse is similarly fought in most places), we instead opt to let the likes of Google and Facebook use tracking and magic algorithms to determine who's allowed to have an account, nay, identity on the internet.
Perhaps we need something that is pseudonymous but tied to an individual rather than a subscriber line, to be depseudononymised only by court order, similar to IP address now except you can actually find who did something (or was complicit at minimum, similar to money mules). We can also make it be different for every recipient, similar to how you can create any number of blockchain addresses without revealing the tie between them. It sounds super dystopian to have an internet passport (private key) explicitly tied to a government identity, but at this point it may improve anonymity rather than detract from it. We could get rid of CAPTCHAs (which are mostly ineffective at this point anyway), Cloudflare MITMing, IP address banning, phone number verification, "log in with Facebook", spam filters (because we'd just block spammers), etc. in favor of being able to prosecute and/or block bad actors.
> That said, it is completely understandable that some users may feel uncomfortable using an account to access the service. For such cases we strongly recommend hosting your own deployment of Jitsi Meet. We spend a lot of effort to keep that a very simple process and this has always been the mode of use that gives people the highest degree of privacy.
Of course, self-hosting is still a bunch of work. Which doesn't mean anger is justified, but disappointment (which seems to be the dominant emotion at the time of writing) is understandable.
I don't get these "why can't you just..." comments. It's like you complain about food in the restaurant, and someone saying: "well, you can cook your own lunch at home differently".
I'd rather they simply shut down their instance and replace it with a list of community-maintained ones.
BTW: it's not anger (at least in my case). Mostly just disappointment.
Wikipedia literally uses the word "decentralized" to describe the Fediverse, which would seem to violate your personal definition:
https://en.wikipedia.org/wiki/Fediverse
> While a traditional social networking site will host all its content on servers owned by the parent company, the decentralized social media sites that make up the fediverse allow any individual or organization to host their own servers (referred to as an "instance").
Routers are computers. You'll be waiting a long time.
Through I hope they have a way for registered people to invite someone to join a meeting without a login (through with a bunch of limitations, like them being responsible for the person joining).
For example so that in case of a remote job interview the company can give them to the interviewee.
I just played around with it now; it looks like login is only required to create the room -- that is, only one person at all needs to log in. Everyone else gets a "waiting for the moderator" screen before someone logs in, and just goes straight in w/o login afterwards. Presumably that person will the ability to kick people out, and can be held responsible for not doing so.
if I understand correctly the creator of the meeting needs to have an account but other people can still join without it?
What makes it worse, I've been almost successful in weening friends and colleagues off Zoom and that's no easy task. Now it's all for nought.
Damn nuisance really.
Using email login doesn't archive that (and is more work).
Using providers like Facebook, Google, GitHub is good enough, through e.g. in case of GitHub definitely not perfect. But good enough is good enough.
I just which there would be more anonymity protecting *independent* auth providers you could widely use (which still could allow you to properly ban someone).
KYC has gotten wildly out of control.
So Jitsi loses the case for privacy and goes and requires Big tech logins such as Google, GitHub (Microsoft), Facebook (Meta).
Oh dear.
Having been on both sides, we need more decentralization and a way to disconnect From those decentralized points. Not much else can be done besides a never ending game of cat and mouse.
The auth requirement is probably just a way to limit load and force people to at least attach their usage rates with an identity of some kind, so if one person or org is using thousands of hours of server load they can start charging for the service.
Jitsi having to do things like this might be inevitable. But I still have a look of disapproval for whomever was abusing the service.
The meeting continues even if the person with the account leaves; as long as someone stays in the room, it persists and people can (re)join.
I don't like this change but their free (beer) service is still more respectful than GOOG Meet or MSFT Teams.
One instance that our national educational network organization hosts is at https://vid.arnes.si./
I don't want to set up an entire LDAP server when I already have Authelia running.
Think conversations like discussion of abortion, and other things where the service in certain locations needed to be private to the point subpoenas wouldn't be a threat. This is also why they've been waiting for insertable streams to be fully implemented in Firefox- those tickets were pushed most heavily because of Jitsi's videocalling.
This was driven by when they implemented an end to end encryption option- and being open source , something people could feel safer about than trusting Meet's (the former Duo)'s one on one calls.
The best part is this was something you could bring up on any computer. Signal , you need to own the device- Jitsi was more free than Signal in some ways- and of course it helps not being tied to a identifier(Signal has not yet implemented removing phone numbers as an identifier)
-Does this mean there's no free, end to end encrypted anonymous alternative that would be useful for those who are not technically inclined- but worry about Subpoenas, and need end to end encryption? That's as accessible(Jitsi was from a simple web interface no matter your device, alternatives like Jami and Meet aren't - and the account thing hurts)
Because trusting a Github, Google ,or Facebook login to not be vulnerable to subpoenas - is a nonstarter. ( I am aware of the efforts of Google, Facebook, etc to mass E2EE communications from test messages to all messenger messages - I don't think this is immune to legal/coercive efforts such as you might see in the UK/Australia, and also think the anonymity layer is going to be the crucial for some people. ...I'm aware ease of use plays a role in abuse- but i'll point out bad actors(who are technically capable at least a little apparently) have the resources to still abuse Jitsi(if someone had an axe to grind against Jitsi) regardless of these additions- [example:Google accounts can be still mass created anonymously via Android phones/burner phones /etc]
I dislike this, having been banging my head against the wall given my efforts over the past few years to teach end to end encrypted options and their usage to those who need them most, for the mentioned reasons.
For now I will resort to bugging people to switch to other instances at https://jitsi.github.io/handbook/docs/community/community-in... - but we badly need more options just as accessible- what other E2EE anonymous web-browser accessible tool is as available to the masses, that they can be convinced to use?
Just stand up your own instance and make it available to the anonymous public?
Jitsi itself isn't going away, just their anonymously-accessible instance.
By all accounts it's very easy to operate and requires very little in terms of resources. Hell, DO even has a droplet available.
So what's the problem?
We're not all sysadmins that can set up such a thing.
"Element Call is temporarily not end-to-end encrypted while we test scalability."
Convincing is a different matter, though.
Don't blame Jitsi. Blame the people abusing their previously wide open service. They're why we can't have nice things.
As for expecting them to run their own auth service instead of relying on a third party, that is a hell of a lot more complex than it looks. I can't blame them for not wanting to take that on.
If you really disagree that much, go ahead and fire up your own Jitsi service and open it up for anonymous use by the public. Let's see how long you can run it before you encounter the exact same problems.
Meanwhile, the vast majority of users around here will have a GitHub or Google account, and probably Facebook as well. This is hardly much of an inconvenience.
And if the complaint is that now Jitsi can tie back activity to a durable identity: yeah, that's the entire point. They're fighting abuse. At some level, to prevent that abuse, they need some form of trustworthy authentication. That, by definition, means to some extent piercing the veil of anonymity.
It's also why running their own auth doesn't fundamentally solve the problem, as anonymous users creating their own accounts on their platform is a minor speed bump to folks who would use the service for nefarious activity. For that auth to be worth anything, they'd have to engage in their own forms of user verification, and that'd be no more privacy protective, and frankly probably less so since you'd have to trust their security posture.
The fact is they simply cannot run the service in a way that's both perfectly anonymous to Jitsi themselves and simultaneously resistant to abuse (thereby protecting them from potential liability).
Look, I get it, I'm not a fan of the big tech providers, either. But the claim that this somehow crosses the privacy rubicon is a massive overreaction. And the software itself remains as Free and Open Source as it ever was.
At the height of the pandemic I started using Jitsi for all my conferencing needs and was very happy to find that 8x8 had a paid-for option so that I could support Jitsi development through a 8x8 Meet Pro subscription. However, in December 2022 8x8 decided to axe the service and replace it with their "X Series plans" that are an order of magnitude more expensive (can not even find quotes easily right now [1]) and clearly geared towards large-scale enterprise. "By moving to 8x8 X Series, you will have access to features like business SMS/MMS, unlimited calling to select countries, fax, voicemail transcription, integrations with business applications, call queuing, analytics, and more.", sounds great right? But not really to someone wanting to have a fixed URL and make twelve or so video calls per week on a budget.
[1]: https://www.8x8.com/products/plans-and-pricing
This effectively forced me to go and "freeload" on Jitsi again, despite being willing to pay. However, I refuse to go crawling to Facebook, Google, or Microsoft for an account as I worked long and hard to divorce them already. It is doubly frustrating when you know that 8x8 has an account infrastructure (I have used it) and they are deciding not to offer it to us.
So, yes, we are not entitled to their free labour. But it is not like their track record is perfect here. This could all have been done much smoother.
To end on a more positive note, I posted this story a few days ago [2] and here are some alternatives that were brought up:
[2]: https://news.ycombinator.com/item?id=37258646
Do seriously consider supporting organisation that provide these services so that we can continue to have nice things. I would also love for there to be a Jitsi alternative out there with a "leaner" technology stack and higher focus on security that (paranoid?) people such as myself would feel more comfortable hosting on our own.
Pretty much every web site that requires login allows local registration. This is the first web i heard about that requires third-party registration. That seems absurd to me.
Wait. They want me to sign up to Google, Microsoft or Facebook (worst possible choice ever) and I shouldn't complain. Seriously?
Then, what kind of complain/criticism is OK?
First step auth, second step payments/subscriptions/premium/whatever, third step sold to a big corp where it will be destroyed.
But anyway, for anyone wanting an alternative peercalls has been really reliable for us.
