XMPP Mandating Encryption on Messaging Service Operators


Beginning today, operators of instant massaging services that rely on the extensible messaging and presence protocol (XMPP) are expected to deploy encryption into the messaging platforms they maintain.

Beginning today, the operators of instant messaging services that rely on the extensible messaging and presence protocol (XMPP) are expected to deploy encryption into the platforms they maintain.

The XMPP Standard Foundation (XSF) announced today that a large number of services on the public XMPP network permanently turned on mandatory encryption for client-to-server and server-to-server connections. The XSF is calling this its first step in making the XMPP network more secure for all of its users. They also plan on implementing new security improvements moving forward as part of this effort, including ubiquitous authentication, secure DNS, and end-to-end encryption.

XMPP is an open source, instant messaging platform first put to use by the Jabber instant messaging service. Now the protocol is widely deployed – at least in part – across a number of popular instant messaging services.

Technically, this mandate is impossible to enforce, because many XMPP-based services are independently operated. However, according to a blogpost published by Prosody, an XMPP communications server that has signed onto the mandate, many XMPP services will begin refusing unencrypted connections as of today.

“While XMPP is an open distributed network, obviously no single entity can ‘mandate’ encryption for the whole network – but as a group we are moving in the right direction,” the Prosody post reads.

If users of XMPP-based services encounter problems with those services, it is likely an indication that that particular service has not properly implemented encryption. Users are urged to contact the operators of those services to inform them of the mandate.

“We still have some way to go, for example today’s change only ensures encryption (enough to beat passive capturing of traffic), it does not require you to have a valid certificate issued by a certificate authority (though some services do already choose to require this).”

Broadly speaking, because each XMPP service could be different, this process requires three steps. Operators will need to acquire a server certificate, disable plain-text connections, and then test their XMPP security. You can find more thorough instructions here. And you can test the security of your connection as well as see the results of other recent tests here.

The move falls in line with a bigger movement toward deploying encryption across all online services, largely in response to revelations regarding the scope of the National Security Agency’s surveillance apparatus.

The Electronic Frontier Foundation has been among the vanguards of this movement, advocating in court and on Capitol Hill for better security law and user privacy rights. The digital rights group also publishes a biannual, ‘Who’s Got Your Back?’ report, which examines various internet service providers, mobile operators, and tech companies, grading those organizations on the extent to which they protect user data with strong encryption and stand up for users in the face of law enforcement data requests in the court of law.

Another initiative of note is Reset the Net, in which a coalition of privacy groups is seeking to further the implementation of SSL, HTTP Strict Transport Security (HSTS), Perfect Forward Secrecy (PFS) and end-to-end encryption among other layers of security.

Suggested articles