The XMPP Newsletter, 30 November 2018

Welcome to the XMPP newsletter.

If you have an article, tutorial or blog post you'd like us to include in the newsletter, please submit it on the XMPP wiki.

News

In the Netherlands a commercial chat service based on XMPP and a modified version of the open-source Xabber client for Android was compromised when the Dutch police gained access to the server and implemented a man-in-the-middle (MITM) attack on encrypted conversations that used Off-The-Record (OTR) encryption.

OTR and other encryption technologies such as OMEMO only guarantee end-to-end security if you are able to verify the fingerprints of your contacts' encryption keys. In this case it appears users did not verify and ignored warnings (which were too small and easily missed), and this opened the door to a MITM attack by anyone with access to the server.

The attack in this instance was for law enforcement. However it serves to highlight the importance of designing user interfaces that encourage good security practices, and educating users. It also highlights problems with centralized services - all IronChat users were on a single XMPP server, which meant a single place to compromise and access all IronChat conversations. A federated network does not have a single point through which all messages pass.

It seems the service was popular with criminals, which is why the police got involved, and various arrests were made. Here's the original article in Dutch and here's a Google machine-translated version.

Subscribe to receive the next edition in your inbox

Paul Schaub has written about a QR-code generator for OMEMO which he has been working on. It encodes the Jabber-ID of the owner as well as any OMEMO fingerprints they choose to include.

JC Brand has written about the recent XMPP sprint held in Dusseldorf. Featuring sushi, ramen, whiskey, protocol discussions, translations, bugfixes, documentation, releases, hacks and coding.

The Monal iOS and MacOS client now shows a simple introduction to XMPP with lovely illustrations of Peter rabbit, as he enters and escapes Mr McGregor's garden. There are also new empty state screens with similar illustrations.

The well-known Kuketz blog in Germany wrote an article XMPP is not the savior - but a solution (Google machine-translated version). Here's the original German version. It's in part a response to XMPP: Admin-in-the-middle, written by the InfoSec Handbook which details how XMPP server administrators have access to user's metadata and other sensitive information.

The German email provider mailbox.org, has unveiled a revamped website with new features, including migration to a new XMPP chat server (Ejabberd) and deployment of Converse.js as webchat.

German IT website Golem.de has written about Daniel Gultsch's new free Android app Quicksy which allows users to sign up with their cellphone number. Here's the Google machine-translated version and the original German article.

This Stardust blog post explains how you can Write an XMPP bot in half an hour

Andrea Schäfer provided a technical update and demo of Chatty, the XMPP-capable chat client that is being developed for the upcoming Purism phone. This was posted already a while ago, but only came to my attention recently.

Upcoming Events

The 23rd XMPP Summit has been announced. It will be held on the 31st of January and 1st of February 2019 in Brussels, Belgium. These are the two days preceding FOSDEM 2019.

Software releases

Servers

MongooseIM 3.2

Prosody 0.10.3, 0.11 and 0.11.1 - The 0.11 release features a rewrite of their MUC component and lots of PubSub improvements.

Clients

Libraries

Other software

xmpp-websocket-proxy - A new XMPP websocket connection manager using using DotNetty and MatriX vNext.

Movim 0.14 - Movim is 10 years old this month and this release has been 9 months in the making.

Services:

The Public MUC search tool Muclumbus now lives at search.jabber.network