Many users of XMPP (Extensible Messaging and Presence Protocol—formerly Jabber) chat services are going to be more secure starting this week. The XMPP Standards Foundation announced that a large number of services using the public XMPP chat network began making encrypted connections mandatory on Monday.
The new encryption effort is largely focused on communication between XMPP servers. Many chat clients already use encrypted connections to communicate, so this move is largely about making the back end of XMPP services more secure, Ralph Meijer, an XMPP Standards Foundation board member, told PCWorld.
The move to making encryption a requirement across many XMPP servers is all too important after the ongoing Snowden revelations revealed the NSA was passively monitoring data flows within the internal networks of major corporations such as Google and Yahoo.
Server-to-server TLS encryption will make this kind of monitoring of XMPP-based chats far more difficult.
The effort to encrypt connections for XMPP services has been months in the making after Peter Saint-Andre, who runs jabber.org, published a manifesto in October calling for wide adoption of encrypted connections for XMPP services.
Entitled, “A Public Statement Regarding Ubiquitous Encryption on the XMPP Network,” the document calls for XMPP operators and developers to start requiring Transport Layer Security (TLS) connections as of Monday, May 19, 2014.
In XMPP circles, May 19 is dubbed Open Discussion Day, which is meant to promote open communications systems and protocols such as XMPP.
TLS is a commonly used protocol for securing web communications. Recently, the Heartbleed bug in the implementation of SSL/TLS by the OpenSSL Foundation made millions of websites vulenerable to attack. TLS itself, however, is still seen as secure.
It’s not clear exactly how many services are using TLS connections since XMPP is an open standard that requires voluntary compliance with the encryption effort. Nevertheless, more than 70 XMPP service operators and software developers have signed on to support the call to require TLS.
Notable supporters include the lead developer of Adium, a popular chat client for OS X; Jeremie Miller, the creator of Jabber; and the creator of ChatSecure for Android (formerly Gibberbot).
Closed walls
While TLS support is good news for XMPP users, chances are most of us aren’t using the protocol any longer. Once fully supported by Google in its Chat client, the search giant is moving away from XMPP in favor of its own Hangouts, which is not an open standard. Facebook, which currently supports XMPP in Facebook Chat said it plans to shut down XMPP integration on April 30, 2015. Skype and Lync, which are becoming the default chat clients across Microsoft’s online services for consumers and enterprises, offer limited XMPP support.
Nevertheless, for the privacy conscious there’s never been a better time to consider going back to using XMPP-based chat. After pushing TLS connections, the XMPP Standards Foundation hopes to expand other security-conscious features across XMPP services including ubiquitous authentication, secure DNS, and end-to-end encryption.
The only problem will be dragging all your friends over to an XMPP service with you.
This story was updated to clarify that the new XMPP encryption effort is largely focused on server-to-server connections.