Stories
Slash Boxes
Comments

SoylentNews is people

IM Services Start to Block Unencrypted Chats

posted by martyb on Tuesday May 20 2014, @03:28PM   Printer-friendly
from the wait-for-Government-makes-it-illegal-headline dept.

AnonTechie writes:

IM services start to block unencrypted chats. XMPP upgrade is rolling out now.

A host of instant messaging services will begin refusing unencrypted connections from today under a pledge to harden the extensible messaging and presence protocol (XMPP). Developers pledged in 2012 to begin testing client-to-server and server-to-server encryption for XMPP as of January in a move heralded as an initial step to secure the communications protocol against criminals and government spies. The XMPP Standard Foundation initiative covered 70 providers but could not be enforced. Peter Saint-Andre, the technologist behind the initiative, welcomed the go live date. "Today, a large number of services on the public XMPP network permanently turned on mandatory encryption for client-to-server and server-to-server connections," Saiont-Andre said. "This is the first step toward making the XMPP network more secure for all users."

http://www.theregister.co.uk/2014/05/20/im_upgrade _locks_out_lazy_eavesdroppers/

https://raw.githubusercontent.com/stpeter/manifest o/master/manifesto.txt

Users can check the security of xmpp services here. https://xmpp.net/

 
This discussion has been archived. No new comments can be posted.
IM Services Start to Block Unencrypted Chats | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by TheRaven on Wednesday May 21 2014, @08:35AM

    by TheRaven (270) on Wednesday May 21 2014, @08:35AM (#45869) Journal

    XMPP has a few standards for end-to-end encryption (XMPP is a bit of a clusterfuck at the moment, the XMPP Foundation has completely failed to take the lead in establishing a competent standards track, so for every problem there are half a dozen informational XEPs that are all incompatible). End-to-end encryption, as you say, only protects the contents of the message, not the endpoints. The payload is encrypted, but the to and from fields are not, so anyone who can eavesdrop on the connection can see the message.

    This announcement is not about end-to-end encryption, but that doesn't mean that it's not important. It's about using SSL for client-to-server (c2s) and server-to-server (s2s) communication. This prevents a passive attacker from intercepting any of the messages. We know that the NSA is happy to do active attacks on servers, but we also know that their resources are finite and so they go after the big companies (e.g. Google and Facebook) who run large XMPP servers. If you communicate with people on Googke's servers then they can get your presence notifications and any messages directed at others on Google servers, but not other messages. If you're using a small server, then they can probably do traffic analysis to determine which other users get presence notifications from you when you connect, but the difficulty of that depends a bit on your network topology. If you're using Facebook, then it's trivial because Facebook doesn't federate so all of their traffic is s2c and the server part is compromised.

    --
    sudo mod me up
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2