[JDEV] Security in XMPP/Jabber: some questions

Mattias Campe mattias.campe at rug.ac.be
Wed May 21 15:17:42 CDT 2003


yesterday, I did a presentation of Jabber at my university (actually it 
was a presentation for my RSS headlines jabber component) and they asked 
me how secure Jabber was. Unfortunately I couldn't answer that question 
very good. As I still need to give in my résumé, I would like to have 
some more information on this one.

First, I've done some more research myself, but I still have some 
questions. From DJ Adams book, I know that there are 3 methodes to 
authenticate, namely plaintext, digest and zero knowledge. Is it correct 
that most clients use digest by default?

Then there is SSL (Secure Socket Layer?) that you can use to encrypt the 
whole stream, am I correct? Still, I don't see that clients use this by 
default. What is the reason for this? I've read somewhere that it could 
  be that this causes problems on some proxy servers, is this true? And 
does SSL provide end-to-end security or only client-to-my-own-server 

Other two known ones are PGP and GnuPG, what's the difference between 
those two? Is a client supporting PGP compatible with one supporting 
GnuPG? How does this actually work? Is it encrypted at the client side, 
decrypted at the server side, to know the to address and then encrypted 
again to send it to the "other side"? What if the other side doesn't 
know about PGP, how those this side knows about that lack of feature?

I read in "The Instant Messaging Standards Race: Comparing XMPP/Jabber 
and SIP/SIMPLe" from Jabber Inc. sth. about SASL (Simple Authentication 
and Security Layer) and TLS (Transport Layer Security). What is the 
principle of those two?

What is meant by "end-to-end" vs "hop-to-hop" encryption, that with the 
first one even the server can't read what is in the message? But how do 
they know then where to send the message?

Will jabberd2 support more security than the current jabberd server?

I hope sb. has some time to answer these questions (or some of them). I 
don't need in-depth information, just enough to understand it :).


More information about the JDev mailing list