Towards a mandatory, always-on and ubiquitous encryption in XMPP networks

Now that we know that our online communications are not necessarily private and secure, there is a growing need to have end-to-end encryption built into all the tools we use to communicate with family and friends (online).

The latest effort aims to build mandatory, always-on and ubiquitous encryption in the XMPP communication protocol. XMPP, short for Extensible Messaging and Presence Protocol, is “an open technology for real-time communication, which powers a wide range of applications including instant messaging, presence, multi-party chat, voice and video calls, collaboration, lightweight middleware, content syndication, and generalized routing of XML data.”

The technology that now forms the core of XMPP was started in 1998 by Jeremy Miller. Back then, it was known as Jabber or Jabberd (Jabber server). Today, XMPP is the most popular, open source communications standard.

The latest effort to enhance the security of XMPP was started by Peter Saint-Andre, the operator of Jabber.org. It started by bringing together some of big names connected with XMPP to sign a manifesto that spells out a vision and roadmap for making XMPP a more secure communication protocol.

The preamble to the manifesto reads:

We, as operators of public services and developers of software programs that use the XMPP standard for instant messaging and real-time communication, commit to establishing ubiquitous encryption over our network on May 19, 2014.

Jabber/XMPP technologies were first released on January 4, 1999, by Jeremie Miller. Since then, channel encryption using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) has been optional on the Jabber/XMPP network. Out of respect for the users of our software and services, we believe it is time to make such encryption mandatory.

Therefore we commit to the following policies, consistent with the IETF Internet-Draft “Use of Transport Layer Security in XMPP” https://datatracker.ietf.org/doc/draft-saintandre-xmpp-tls,

For service deployments, the objectives are to:

  • Require the use of TLS for both client-to-server and server-to-server connections
  • Prefer or require TLS cipher suites that enable forward secrecy
  • Deploy certificates issued by well-known and widely-deployed certification authorities (CAs)

So the target date to upgrade XMPP network to use always-on, mandatory and ubiquitous encryption is May 19, 2014. That date will also feature an Open Discussion Day at http://opendiscussionday.org.

The complete text of the manifesto, including all the objectives, is hosted on GitHub. You may read the complete text here. If you wish to support this effort, be sure to add you name to the end of the file.

Related Posts

MPAA wants to control your TV The MPAA is pressuring the FCC for the authority to cripple recording devices using so-called "Selectable Output Control" (SOC). Basically, SOC wou...
ZShaolin keeps getting better. Now has vim, nmap, git, rsync, and ssh Remember ZShaolin? Yep, it's that Android ninja tool that gives you zsh and a whole bunch of command-line applications on your Android device, minus t...
The latest on GNOME Software from Fedora Rawhide GNOME Software is the built-in software management application on GNOME 3. It is a beautiful application. In the future, it might be all you need t...
Short, on-Chip Light Pulses Will Enable Ultrafast Data Transfer Within Computers Electrical engineers generated short, powerful light pulses on a chip -- an important step toward the optical interconnects that will likely replace t...
Using Ansible with Docker to Deploy a WordPress Service on Rancher Ansible is a configuration management and orchestration application that was recently acquired by Red Hat. Rancher is a platform for working with Dock...
Public sector should use open standards The Commissioner-designate Neelie Kroes wants the public sector to increase its use of open standards, she said in her appearance before a European Pa...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*