70-plus messaging services and XMPP software clients begin requiring TLS encryption
If you're having trouble connecting to an XMPP (Extensible Messaging and Presence Protocol--formerly Jabber) service this week, you may need to upgrade your chat client. The XMPP Standards Foundation announced that a large number of services using the public XMPP chat network began making encrypted connections mandatory on Monday.
The move to making encryption a requirement across many XMPP services is aimed at preventing private chats from falling into the hands of governments or other parties monitoring unencrypted connections--an issue that has become all too relevant in light of the ongoing Snowden revelations.
The new encryption effort only protects communication between chat clients and XMPP servers. It does not offer so-called end-to-end encryption, where chats are encrypted on the sender's device and can only be decrypted on the recipient's.
The effort to encrypt connections for XMPP has been months in the making after Peter Saint-Andre, who runs jabber.org, published a manifesto in October calling for wide adoption of encrypted connections for XMPP services.
Entitled, "A Public Statement Regarding Ubiquitous Encryption on the XMPP Network," the document calls for XMPP operators and developers to start requiring Transport Layer Security (TLS) connections as of Monday, May 19, 2014.
In XMPP circles, May 19 is dubbed Open Discussion Day, which is meant to promote open communications systems and protocols such as XMPP.
TLS is a commonly used protocol for securing web communications. Recently, the Heartbleed bug in the implementation of SSL/TLS by the OpenSSL Foundation made millions of websites vulenerable to attack. TLS itself, however, is still seen as secure.
It's not clear exactly how many services are using TLS connections since XMPP is an open standard that requires voluntary compliance with the encryption effort. Nevertheless, more than 70 XMPP service operators and software developers have signed on to support the call to require TLS.
Notable supporters include the lead developer of Adium, a popular chat client for OS X; Jeremie Miller, the creator of Jabber; and the creator of ChatSecure for Android (formerly Gibberbot).
While TLS support is good news for XMPP users, chances are most of us aren't using the protocol any longer. Once fully supported by Google in its Chat client, the search giant is moving away from XMPP in favor of its own Hangouts, which is not an open standard. Facebook, which currently supports XMPP in Facebook Chat said it plans to shut down XMPP integration on April 30, 2015. Skype and Lync, which are becoming the default chat clients across Microsoft's online services for consumers and enterprises, offer limited XMPP support.
Nevertheless, for the privacy conscious there's never been a better time to consider going back to using XMPP-based chat. After pushing TLS, the XMPP Standards Foundation hopes to expand other security-conscious features across XMPP services including ubiquitous authentication, secure DNS, and end-to-end encryption.
The only problem will be dragging all your friends over to an XMPP service with you.