2014-05-19 by The Prosody Team





Last year Peter Saint-Andre laid out a plan for strengthening the security of the XMPP network. The manifesto, to date signed by over 70 XMPP service operators and software developers, offered a rallying point for those interested in ensuring the security of XMPP for its users.

Today is the date that the manifesto gave for the final ‘flip of the switch’: as of today many XMPP services will begin refusing unencrypted connections. If you run an XMPP service, we encourage you to do the same. On the xmpp.org wiki you can find instructions for all the popular XMPP server software. While XMPP is an open distributed network, obviously no single entity can “mandate” encryption for the whole network - but as a group we are moving in the right direction.

If you use an XMPP service provided by someone else and you encounter problems contacting family, friends or colleagues starting from today, it may be a sign that either your XMPP service or theirs is not properly supporting encryption. Contact the administrator of your service and let them know about this change. You can also use xmpp.net to test any server.

We still have some way to go, for example today’s change only ensures encryption (enough to beat passive capturing of traffic), it does not require you to have a valid certificate issued by a certificate authority (though some services do already choose to require this).

There is a whole lot of work being done to pave the way for a future without CAs, as they are a sticking point for many people - whether for financial, trust, privacy or philosophical reasons. Some current initiatives include DNSSEC, Monkeysphere, and some folks prefer to trust nothing less than hand-verified fingerprints! We already have experimental plugins available in prosody-modules for these things (mod_s2s_auth_dane, mod_s2s_auth_monkeysphere, mod_s2s_auth_fingerprint, etc.). If this is something you are interested in, take a look, help us test, and perhaps contribute code even!

Further reading: