As part of our work on continuing to improve the security of the Jabber.org IM service, the admin team has drafted the following security plan. As always, we value your feedback, so feel free to send us comments.
Our goal is to provide a high level of security for our users. We want your communications to be private and confidential. To this end, we use strong security technologies, such as industry standard Transport Layer Security (TLS), at the Jabber.org IM service. We also actively engage with operators of other XMPP services to ensure that data is encrypted across the public XMPP network. Details regarding our current plans are provided in the rest of this document.
We are now working on the following security improvements:
Mandatory encryption of client connections.
What this accomplishes: This ensures that your password, buddy list, and messages are kept confidential between your device and the jabber.org IM service. As a result, if you chat with another person with a jabber.org address then your messages will never be "in the clear" over the wire.
What this does not accomplish: This does not protect your messages if you communicate with someone at another server (e.g., jabber.at). To make that happen, we need to enable mandatory encryption of server-to-server connections (see below). Also, this does not ensure that your messages are encrypted inside the jabber.org IM service. To make that happen, you need to use IM software that supports end-to-end encryption (see What You Can Do at the bottom of this page).
When we will take this action: We plan to test this improvement on December 20-21, 2013. If there are no significant problems, we will enable it full-time in the near future (date to be determined).
Potential impact on you: If you are running IM software that does not support the XMPP STARTTLS technology first standardized in 2004, you will not be able to connect to the jabber.org IM service. When we tested this setting several years ago, some old IM software was unable to connect, but we now expect few users to experience problems. However, if you are unable to connect, please send an email message to email@example.com and tell us what IM software you are using (including the version and operating system).
Mandatory encryption of server-to-server connections.
What this accomplishes: This ensures that your messages to people with XMPP addresses at other servers (e.g., jabber.at) are kept confidential between jabber.org and the remote server.
What this does not accomplish: This does not protect your messages between the remote server (e.g., jabber.at) and your friend's IM software, nor does ensure that your messages are encrypted inside the jabber.IM service or inside the remote server. To make that happen, you need to use IM software that supports end-to-end encryption (see What You Can Do at the bottom of this page).
When we will take this action: Along with many other servers on the public XMPP network, we will test this improvement on January 4, 2014. Additional test dates are planned throughout the spring of 2014 (see below).
Potential impact on you: If you try to communicate with a remote server that does not support encryption, you will not see your friends online and you will not be able to exchange messages. Note that Google-hosted domains will not be part of the initial test days! However, it is our understanding that Google-hosted domains will be reachable over encrypted connections later in the testing process. If you experience communication problems during the test days listed below under the Timeline, please send an email message to firstname.lastname@example.org and tell us what IM services you are attempting to contact.
The list actions provided above is incomplete, and this document will be updated as we work on further improvements.
December 20-21, 2013: Test of mandatory encryption for all client connections.
January 4, 2014: First test day of mandatory encryption for all server-to-server connections.
February 22, 2014 - Second test day for server-to-server encryption.
March 22, 2014 - Third test day for server-to-server encryption.
April 19, 2014 - Fourth test day for server-to-server encryption.
May 19, 2014 - Permanent upgrade to encrypted network for server-to-server encryption.
What You Can Do
Although we do what we can to improve the security of the Jabber.org IM service, we alone can't ensure the privacy and confidentiality of your communications. Here are things you can do to help:
- Run IM software from well-known providers, such as Adium, Gajim, iChat, Jitsi, Pandion, Pidgin, Psi, or Swift.
- Make sure you are running the latest version of your IM software and operating system software, including the most recent security patches.
- Verify that your IM software is configured to require encryption of connections to the jabber.org IM service.
- If possible, use software that supports (either directly or through a plugin) an end-to-end encryption technology such as Off-the-Record Messaging.