XMPP switches on mandatory encryption
The global community of Extensible Messaging and Presence Protocol (XMPP) instant-messaging users took a step toward improved security on May 19, with the operators of a large number of XMPP servers began enforcing a new, mandatory-encryption requirement. The move is one part of a larger effort to secure the global XMPP network; since that network is a federated collection of independent servers, the task is not easy. But whether it is ultimately successful or not, it increases the availability of end-to-end encryption for users, and those developing other Internet communication tools can learn by watching XMPP's example.
In October of 2013, XMPP creator Peter Saint-Andre first published
a manifesto calling
for ubiquitous encryption of the XMPP network. XMPP (or, as it was
known beforehand, Jabber) has supported SSL/TLS encryption of
communication channels since the beginning, but that encryption has
always been optional. The manifesto argues that encryption should be
mandatory "out of respect for the users of our software
and services
", and lays out a set of policy recommendations for
server and client applications.
May 19, 2014 (deemed Open Discussion Day by the signatories) was the "flip the switch" date set out in the manifesto, after a series of four one-day tests earlier in the year. As of the switch-over itself, 70 XMPP server operators and client-application developers had signed the manifesto. The signatories include the administrators of a number of public XMPP services and the teams behind multiple open-source applications (for example, Jitsi, Gajim, Adium, Miranda NG, ejabberd, Prosody IM, and Tigase).
The main conditions of the manifesto were to support STARTTLS connection establishment (including the mandatory cipher suites and certification validation protocol of RFC 6125) and to require TLS encryption for all client-to-server and server-to-server channels. The hard requirement fell to XMPP service operators, who agreed to reject unencrypted XMPP connection requests. Clients, for backward-compatibility reasons, can continue to support unencrypted connections, but make encryption the default.
Several other details were optional: TLS 1.2 was preferred, but negotiation for TLS 1.1, TLS 1.0, and SSLv3 were to be supported, while support for SSLv2 was to be disabled entirely. Likewise, certificate-based authentication and forward-secrecy cipher options were to be available and preferred, but fallback to unauthenticated encryption and other cipher suites must also be supported. Finally, signatories agreed to provide user-configurable options for other security features, (such as cipher selection and forward-secrecy).
The manifesto also notes that "ideally
" the
implementers should present as much information as possible about the
authentication and encryption status of the channel to the user, and that
services should use certificates from well-known certificate
authorities, although both of these conditions are described as
aspirational goals, rather than as mandates.
In essence, then, the participating XMPP networks are requiring an encrypted channel for XMPP connections, supporting all of the recommended options, and making the strongest options the preference. Nevertheless, this set of requirements does not implement ubiquitous encryption, nor does it mandate every strong authentication option possible. The manifesto notes that these remaining requirements are still to come, and that Open Discussion Day event was merely step one.
In particular, running the XMPP connection over TLS is not the same as encrypting the XMPP messages themselves. For that, one would use the Off-the-Record Messaging (OTR) protocol. The use of TLS also does not guarantee channel binding (as in RFC 5056), which enables applications to verify that secure network-layer connections are not hijacked by other programs elsewhere in the protocol stack, nor does it mandate secure DNS or application-level server identity verification.
The XMPP community has invested some of its time in working on these other pieces of the secure-messaging puzzle, though. The IETF's XMPP Working Group has written a number of draft proposals in recent years, covering topics from DNSSEC for XMPP records to server identity verification. Some of these drafts have since expired (in IETF terminology), seemingly without an update or forward progress in several years. However, the argument in the Open Discussion Day community is that forcibly migrating the XMPP network to TLS encryption was a necessary first step; only with that in place it is possible to make meaningful progress on the remaining challenges.
As for the newly activated encryption requirement, though, it is already in effect. Since XMPP servers are federated (and since quite a few of the manifesto signatories run their own server), it is not easy to estimate how many users there are with accounts that will reject unencrypted connection requests. Unless a server advertises how many users it has, there is no way to know how many accounts each server represents—much as is the case with email providers. Fortunately, the IM Observatory site provides some tools for assessing the current state of many clients and servers.
The site provides a tool with which users can test any publicly reachable XMPP server for client-to-server and server-to-server encryption. Recent test results are published on a live-updated page, although only the past few hours are visible at any one time, and multiple test runs against the same server are not filtered out. Each server receives a grade from A (best) to F (worst), based on the same rubric used by SSL Labs' SSL Server Rating Guide. The guide takes into account connection protocol support (e.g., TLS 1.2 is better than TLS 1.1), key-exchange protocol support (e.g., ephemeral key exchange is better than non-ephemeral), and cipher strength (measured by key length).
The site also maintains statistics over the total set of test tested servers. As of today, 59.1% of the tested servers receive an A, while 7.7% receive an F. Most of those in between are skewed toward the A side of the graph. While that is certainly positive news, not all of the servers tested offer accounts to the general public. To that end, the site also provides a list of open-to-the-public XMPP servers that can be sorted by grade. Among these public servers, 59 out of 115 scored an A, or about 51.3%.
All in all, toggling the mandatory-encryption switch for XMPP is clearly a good move from a security standpoint, and the project seems to have implemented it with an admirable degree of success. One might be tempted to view it as a template that other development communities could emulate. In theory, for instance, it would be nice to see email providers make a concerted push for PGP or S/MIME.
But an uncomfortable caveat accompanies the Open Discussion Day success: the fact that XMPP is not nearly as widely deployed as email. There are some large-scale instant-messaging services (like Skype and Facebook) that offer some degree of XMPP compatibility, but the overall size of the XMPP network is small compared to the proprietary alternatives. In fact, Google deactivated its own XMPP compatibility for Google Talk in 2013.
There are still reportedly millions of XMPP users, but it would be considerably harder to implement a similar single-day switchover for other, more widely deployed services. In the early days of TCP/IP, for example, it was possible for all implementers to assemble in one room. But the transition from IPv4 to IPv6 has been many orders of magnitude slower.
Nevertheless, the activation of mandatory XMPP encryption does
demonstrate that when like-minded service operators and application
developers put their minds together, fixing a widespread security
problem is possible. That potentially bodes well for a number of
other Internet security issues, from the certificate-authority problem
to Do Not Track. When concerned parties coordinate their efforts,
they can indeed implement change.
Index entries for this article | |
---|---|
Security | Encryption |
Security | Internet |
XMPP switches on mandatory encryption
Posted May 22, 2014 12:08 UTC (Thu)
by pizza (subscriber, #46)
[Link] (2 responses)
Posted May 22, 2014 12:08 UTC (Thu) by pizza (subscriber, #46) [Link] (2 responses)
This isn't accurate. Google deactivited/b0rked XMPP federation for Google Hangouts (presence information is federated, but nothing else) but Google Talk remains fully federated with XMPP.
Unfortunately, as users (and domains) can switch from Talk to Hangouts at whim, coupled with that half-kinda-sorta-but-not-really Hangouts federation, folks outside of the Google mothership don't know if a given @gmail.com address works with real, federated XMPP or not.
Also, the elephant in the room with this mandatory encrption is that Google is still the largest federated XMPP userbase, probably greater than everyone else combined, and they do *not* support encrypted S2S connections. In other words, that manifesto, and the May 19th date became the voluntary de-peering of Google Talk for all those involved.
The real problem here has been the utter lack of communication out of Google with respect to the future of Talk and XMPP federation. Many, many, many of Google's business users rely on this heavily, and will not accept a forced-hangouts migration due to its lack of interoperability/federation with standard corporate messaging suites (all based on XMPP; even Microsoft's Lync!).
Similarly, I use my own server for both business and personal work, and the *vast* majority (ie all but two) are using google-hosted XMPP. If I were to sign up on this manifesto and cut off google, I'd basically torpedo my ability to communicate.
This is particularly frustrating because Google's the only reason XMPP hit the mainstream; they were one of its earliest (and loudest) champions, and we were all able to convince our employers and whatnot to go along.
Sigh.
XMPP switches on mandatory encryption
Posted May 22, 2014 19:34 UTC (Thu)
by Comet (subscriber, #11646)
[Link] (1 responses)
Posted May 22, 2014 19:34 UTC (Thu) by Comet (subscriber, #11646) [Link] (1 responses)
Thus turning on STARTTLS breaks _reliably_ a service which was broken _unreliably_ and results in a more manageable and understandable service.
Those who want to talk to Google users and are willing to have their messages pass through Google will typically have a Google account of their own, so can tell their XMPP client to sign into multiple accounts instead of trying to depend upon Google's broken federation.
The non-Google account thus has link encryption and protection against purely passive sniffing by those without access to the servers, and talks to "the world of XMPP except Google and Facebook" and people talking with Google or Facebook users just have a connection to those XMPP services. (Facebook may not federate, but they do at least offer STARTTLS for XMPP these days).
XMPP switches on mandatory encryption
Posted May 23, 2014 11:14 UTC (Fri)
by pizza (subscriber, #46)
[Link]
Posted May 23, 2014 11:14 UTC (Fri) by pizza (subscriber, #46) [Link]
Eh, unless you use end-end crypyo (PGP or OTR) with XMPP, you're implicitly trusting the servers on both ends, and even S2S crypto won't change that. I find the "but teh google is reading ur email!" argument rather silly, because they are no different than any other "free" provider in that regard. And most of the "paid" providers too, I suspect. And that's even before the likes of the NSA are considered.
But that is besides the point. XMPP's killer feature was its federated nature. I just fear they've deliberately shot themselves in both feet in the name of progress, because in doing so they've deliberately de-federated from not only Google, but I suspect the majority of the corporate XMPP IM solutions as well. Thanks to Metcalfe's Law, this really does raise the question "why bother with XMPP at all, then?"
XMPP switches on mandatory encryption
Posted May 22, 2014 19:39 UTC (Thu)
by Comet (subscriber, #11646)
[Link] (5 responses)
Posted May 22, 2014 19:39 UTC (Thu) by Comet (subscriber, #11646) [Link] (5 responses)
Facebook send a lot of email and recently put up a blog post (does not require an account to access) on the stats for email, which is worth reading:
https://www.facebook.com/notes/protect-the-graph/the-curr...
Meanwhile, pleasingly the latest Mercurial tip of Prosody, an XMPP server (written in Lua, fairly popular) supports DANE-based verification for peers, letting us move towards authenticated TLS via DNSSEC without the federated service CA problem (which is rather worse than the general case CA problem).
XMPP switches on mandatory encryption
Posted May 23, 2014 1:41 UTC (Fri)
by flussence (guest, #85566)
[Link] (4 responses)
Posted May 23, 2014 1:41 UTC (Fri) by flussence (guest, #85566) [Link] (4 responses)
So I'm left running an arrangement with a self-signed CA and per-service certs signed by that, which I'm okay with since it's (mostly) for personal use. It's better than having everything in cleartext in any case, but it only works when the client software checks a cert doesn't change, as SSH does. The Android mail app is one annoying exception here and it took a fair amount of manual setup (and a big scary persistent warning symbol in the system settings) to get it to actually provide meaningful security with a self-signed CA.
XMPP switches on mandatory encryption
Posted May 23, 2014 11:14 UTC (Fri)
by bangert (subscriber, #28342)
[Link] (1 responses)
Posted May 23, 2014 11:14 UTC (Fri) by bangert (subscriber, #28342) [Link] (1 responses)
XMPP switches on mandatory encryption
Posted May 30, 2014 20:12 UTC (Fri)
by Klavs (guest, #10563)
[Link]
Posted May 30, 2014 20:12 UTC (Fri) by Klavs (guest, #10563) [Link]
XMPP switches on mandatory encryption
Posted Jun 2, 2014 15:50 UTC (Mon)
by jch (guest, #51929)
[Link] (1 responses)
Posted Jun 2, 2014 15:50 UTC (Mon) by jch (guest, #51929) [Link] (1 responses)
If you're using a dedicated OVH server, why are you using their DNS? In my experience, OVH give you cheap, well-connected and reasonably reliable servers (in the sense that they get replaced quickly when they break, I hope you had backups), but their services are not very useful -- they probably expect you to roll your own.
So apt-get install bind, point your NS at your server, and be done with it. I don't recall if OVH are willing to act as secondary, but for most applications secondaries are not really a hard requirement (and if you really need a secondary, you'll want it to be somewhere else than on OVH's network).
(I'm more annoyed about their IPv6 infrastructure -- a single /64 per server that is not routed, so you need to proxy-ND in order to do anything out of the ordinary.)
XMPP switches on mandatory encryption
Posted Jun 2, 2014 21:54 UTC (Mon)
by flussence (guest, #85566)
[Link]
Posted Jun 2, 2014 21:54 UTC (Mon) by flussence (guest, #85566) [Link]
The main reason I've stuck with their hosted offering for this long is that the basics were "good enough", and they've got a handy dyndns mechanism already set up. I was too lazy at the time to reimplement it myself. :)