[Juser] How secure is jabber?

Matthias Wimmer m at tthias.eu
Sat Jun 30 06:56:17 CDT 2007


Hi Peter!


Peter Flindt schrieb:
> 1.)A new user choose jabber.org as login server. Unfortunately
> something changes at jabber.org and the server goes down for some
> hours, the user choose another server from a list, that server have to
> many downtimes, he choose a 3rd. But how secure is this? Everyone can
> download the server software, run his own jabber server, and maybe add
> this server to some server lists. Maybe with some server software addon
> to spy out the userdata. I want not assume anything, but where is the
> "security" at this part?

You get a different account (address, password, ...) on the other
servers. There is no roaming of accounts between servers.

So you have to take your account on a server you trust, but you do not
have to trust the whole network for this.

> 2.)SSL/TSL

... TLS, not TSL ...

> I notice that a lot of user think SSL/TSL is "safer" for the messages,
> but if I understand SSL correctly it only do the following:
> User<->plain text<->SSL<->encrypted data transfer<->SSL<->plain
> text<->server
> Apart from the case that some client/server only use SSL for
> Password/Username (If I understand this SSL within Jabber correctly) ,
> where is the "security". Why a lot of user want to use SSL, I don't
> understand this hype. They all fear that someone spy at their internet
> connection?

Yes ... TLS does only encryt connection. So when you only rely on TLS
for securing your messages, you have to trust your server again, as the
message is available in clear there.
But there are other protocols (RFC 3923, several JEPs, OTR, ...) to do
end-to-end encryption.

If the client uses TLS to do authentication, than the whole connection
will be protected by TLS. There is no way in XMPP/Jabber to drop the TLS
layer at a later point.
(Well you could just switch the cipher in the TLS layer to the NULL
cipher, but this does not make any sence, and also I don't think any
client has even implemented that - why should it?)



Matthias


-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/




More information about the JUser mailing list