from the wait-for-Government-makes-it-illegal-headline dept.
IM services start to block unencrypted chats. XMPP upgrade is rolling out now.
A host of instant messaging services will begin refusing unencrypted connections from today under a pledge to harden the extensible messaging and presence protocol (XMPP). Developers pledged in 2012 to begin testing client-to-server and server-to-server encryption for XMPP as of January in a move heralded as an initial step to secure the communications protocol against criminals and government spies. The XMPP Standard Foundation initiative covered 70 providers but could not be enforced. Peter Saint-Andre, the technologist behind the initiative, welcomed the go live date. "Today, a large number of services on the public XMPP network permanently turned on mandatory encryption for client-to-server and server-to-server connections," Saiont-Andre said. "This is the first step toward making the XMPP network more secure for all users."
http://www.theregister.co.uk/2014/05/20/im_upgrade _locks_out_lazy_eavesdroppers/
https://raw.githubusercontent.com/stpeter/manifest o/master/manifesto.txt
Users can check the security of xmpp services here. https://xmpp.net/
(Score: 2, Insightful) by hatta on Tuesday May 20 2014, @03:34PM
End to end encryption is the only thing that matters. Anything else just provides a false sense of security.
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 20 2014, @03:40PM
Yes, but they are using this as only a first-step and do not claim it obviates the need for end-to-end encryption. But don't let facts get in the way of your "frist psot!!".
(Score: 5, Insightful) by VLM on Tuesday May 20 2014, @03:44PM
"provides a false sense of security"
Unfortunately that's exactly what the providers are looking for.
(Score: 1) by unauthorized on Tuesday May 20 2014, @03:50PM
That's not true. Provider-client encryption is great for securing "marketing research" data for the provider. We can't have Chinese and Russian hackers steal our ad revenue, can't we?
(Score: 4, Interesting) by cockroach on Tuesday May 20 2014, @03:56PM
As far as I understand XMPP end-to-end encryption does not solve everything. No matter how strongly you encrypt your conversations, as long as S2S connections are unencrypted third parties can see presence notification, i.e. they will see who your friends are and (possibly) when you connect / disconnect.
It's basically like e-mail: while encrypting your messages with PGP prevents random strangers from reading them the headers are still unencrypted and third parties can intercept them to figure out who is writing to whom. Encrypting traffic between the servers can reduce that risk.
(Score: 2) by TheRaven on Wednesday May 21 2014, @08:35AM
XMPP has a few standards for end-to-end encryption (XMPP is a bit of a clusterfuck at the moment, the XMPP Foundation has completely failed to take the lead in establishing a competent standards track, so for every problem there are half a dozen informational XEPs that are all incompatible). End-to-end encryption, as you say, only protects the contents of the message, not the endpoints. The payload is encrypted, but the to and from fields are not, so anyone who can eavesdrop on the connection can see the message.
This announcement is not about end-to-end encryption, but that doesn't mean that it's not important. It's about using SSL for client-to-server (c2s) and server-to-server (s2s) communication. This prevents a passive attacker from intercepting any of the messages. We know that the NSA is happy to do active attacks on servers, but we also know that their resources are finite and so they go after the big companies (e.g. Google and Facebook) who run large XMPP servers. If you communicate with people on Googke's servers then they can get your presence notifications and any messages directed at others on Google servers, but not other messages. If you're using a small server, then they can probably do traffic analysis to determine which other users get presence notifications from you when you connect, but the difficulty of that depends a bit on your network topology. If you're using Facebook, then it's trivial because Facebook doesn't federate so all of their traffic is s2c and the server part is compromised.
sudo mod me up
(Score: 1) by cockroach on Tuesday May 20 2014, @03:49PM
Unfortunately Google does not seem to play along. Since most of my XMPP contacts are on Google Talk I won't be enforcing s2s encryption on my server just yet. Still, it's nice to see that the bigger players are willing to do this even though it may alienate some users who suddenly find themselves disconnected from their Google friends.
(Score: 5, Informative) by Anonymous Coward on Tuesday May 20 2014, @04:11PM
Your contacts are not on Google Talk.
Google has been stepping away from XMPP since last May, when they axed Talk for Hangout. Since then, they've been pruning XMPP from Google Voice (and killing off third-party software in the process), and it's not clear that XMPP has a future with Google Hangouts.
So, your contacts might well not be on Google Hangout far into the future.
Meanwhile, universities have been killing off their Jabber servers: at UF, they replaced it with MS Lync, mostly for secretaries who use it to communicate between offices. http://news.it.ufl.edu/infrastructure/jabber-servi ce-to-be-retired/ [ufl.edu]
There's too much chance for privacy with Jabber: there are programs that encrypt your data to make it harder for bosses, governments and companies to spy on workers, citizens, and users, plus, if you run your own federated server, that makes it even harder for one company to rule all your data. Jabber won't be around much longer; it's going to be replaced by a balkanized set of panoptica that refuse to communicate with each other: Lync for the office, New Beta Hangouts++ or whatever Google calls post-Jabber Hangouts for home users, Facebook/Snapchat, etc. It's the 90's all over again, but with even more spying.
(Score: 0) by Anonymous Coward on Tuesday May 20 2014, @10:42PM
Conspiracy theories (or conspiracy facts, nowadays) aside, it may not be necessary to imagine that Google refuses to use s2s encryption because they want to pwn your data: instead, it may simply be that they've terminated their investment in Jabber and are not going to deploy any resources to improve a dead product line.