TLS Everywhere

2013-10-27

Almost 15 years have passed since my friend Jeremie Miller released the initial version of the jabberd IM server, launching the Jabber open-source community and the technology we know today as XMPP. Yet, all that time, hop-by-hop encryption using SSL/TLS has been optional on the XMPP network. A number of server operators and software developers in the XMPP community have decided that needs to change for the better. Based on discussions at the XMPP Summit last week in Portland, Oregon, I have drafted a plan for upgrading the XMPP network to always-on, mandatory, ubiquitous encryption. You can find it here:

https://github.com/stpeter/manifesto

In short: we owe it to those who use XMPP technologies to improve the security of the network (and thanks to Thijs Alkemade, we now have better ways to test such security, using the newly-launched "IM Observatory" at xmpp.net). Although we know that channel encryption is not the complete answer, it's the right thing to do because it will help to protect people's communications from prying eyes.

If you or your organization develop XMPP-compatible software or run a service that's connected to the XMPP network, I encourage you to sign the statement by following the instructions in the README at the URL shown above.

Peter Saint-Andre > Journal