Jitsi integration URLs are deterministic

[robertwessen]

Description:

There still exists a privacy issue in the current Jitsi integration. Any one user can calculate all jitsi URLs for any user/room combo (including video meetings launched from DMs)

I think a feature when launching a new jitsi meeting would be needed to address this best. It would require two different jitsi meeting types when launched from RC:

1. permanent meeting - a jitsi url which is determined much like the current implementation. the url is deterministic, based on the ID of install and users/channel name. This is useful for long term consistent meetings on a topic, channel or group.

2. ephemeral meeting - similar to a permanent url, but with a nonce (HMAC of same ID values w/ nonce as key?) to make it unique. New nonce is created every time an ephemeral jitsi meeting is requested. This is best for private meetings which should only last as long as the jitsi session itself and be random enough to give basic privacy properties.

Expected behavior:

Jitsi meetings launched from RC should provide some privacy, at least equivalent to the protections provided within RC.

Actual behavior:

Any one user of RC can calculate the jitsi meeting URL of rooms and DMs (between any two users) as the Jitsi URLs are based on public account/room ID values.

Server Setup Information:

• Version of Rocket.Chat Server: 0.74.3
• Operating System: Ubuntu 16.04
• Deployment Method: docker
• Number of Running Instances: 1
• DB Replicaset Oplog: none
• NodeJS Version: v8.11.4
• MongoDB Version: 3.4

[robertwessen]

this is related to #9419 which was recently addressed.

[geekgonecrazy]

I think #12259 can help with this

[pierre-lehnen-rc]

Fixed by the new videoconf system.