Forgot your password?
typodupeerror
Communications Encryption

XMPP Operators Begin Requiring Encryption, Google Still Not Allowing TLS 121

Posted by Unknown Lamer
from the google-talk-is-the-new-internet-explorer dept.
Via El Reg comes news that major XMPP (formerly known as Jabber, likely the only widely used distributed instant messaging protocol other than IRC) operators have all begun requiring encryption for client-to-server and server-to-server connections. Quoting the Prosidy developers: "Last year Peter Saint-Andre laid out a plan for strengthening the security of the XMPP network. The manifesto, to date signed by over 70 XMPP service operators and software developers, offered a rallying point for those interested in ensuring the security of XMPP for its users. Today is the date that the manifesto gave for the final 'flip of the switch': as of today many XMPP services will begin refusing unencrypted connections. If you run an XMPP service, we encourage you to do the same. On the xmpp.org wiki you can find instructions for all the popular XMPP server software. While XMPP is an open distributed network, obviously no single entity can 'mandate' encryption for the whole network — but as a group we are moving in the right direction." There is a handy tool to test your server. A result worth noting is Google's: they still do not support TLS for server-to-server connections, and their sudden dropping of TLS s2s connections a few years ago is likely the primary reason operators switched off mandatory TLS for s2s (I know that's why I did it). Although Google Hangouts offers no federation, GTalk still does, but it appears that the XMPP network-at-large will now cease to federate with Google voluntarily.
This discussion has been archived. No new comments can be posted.

XMPP Operators Begin Requiring Encryption, Google Still Not Allowing TLS

Comments Filter:
  • by The Cisco Kid (31490) on Tuesday May 20, 2014 @08:19AM (#47045193)

    So their lack of support for TLS with it is sort of a moot point.

    http://tech.slashdot.org/story... [slashdot.org]

    • You know, I can understand why Google might decide that XMPP isn't sufficient for the kinds of features they'd like to support, and so deciding to develop something new in-house with their desired feature set. I really wish, though, they they would open a protocol that still allowed outside people to communicate.

      I just find it insane how much we're moving back in the direction of "walled gardens" everywhere. There was a time when most people's exposure to online interaction were services like Compuserve, AOL, and Prodigy, and those services couldn't talk to each other. I think we're headed back in that direction, except that soon we'll all be on services like Google+, Facebook, and Twitter, and those services won't talk to each other.

      We really need a revolution soon, or I think we're going to find that we don't like where we end up. I know it sounds trivial because these are all free services, and most of what's communicated on them is trivial anyway. Still, it's transforming the Internet into a less free place, where we're all at the whim of a small handful of companies. I think it's a bigger problem than we've yet realized.

      • It's about choice. I can understand that we should always have choice. But the idea that we shouldn't be able to "choose" a walled garden if we want one seems ass-backward to me. Do you remember CompuServe, AOL and prodigy? There were plenty of others as well... some of them were Awesome. I loved CompuServe. I wouldn't go back now... but if some people want to, why shouldn't they have the choice to do so? Googles pretty darned open compared to most other modern tech companies. If they want to offer some ser

        • by Pi1grim (1956208) on Tuesday May 20, 2014 @10:32AM (#47046089)

          That's BS. All this achieves is pushes you into the same zoo of IM clients that stretches from the 90-s. ICQ, Odigo, MSN, Gadu, Skype, XMPP and now all the mobile IMs are all dreaming of being The One. I'm so glad all this corporate "there can be only one and it should be us" broke out after email was standartized. Because right now, several decades from it's invention, we're still stuck with it. No matter how ugly or unsuitable for modern needs the protocol is and how many ugly hacks have been applied to it. Just because this is the only universal communication method. You can send a message and receiver will get it regardless of what mail service it uses.

          Back in the day google's tech team though that something similar should be done for IM market and supported XMPP. But then, they decided that this product was too good, to let other people, who don't use google's services to use it to contact the ones already in the Google's web of services. "Everyone should get a google ID." And now hopes of other players are even dimmer than they ever were. Looks like my dream, where people from facebook, google, univercity network and some corporate IM system can get into one conference and chat is a pipe dream.

          I don't care for internal protocols, features and such. I just want interoperability between servers. Let john@google.com message jane@facebook.com and any other server that has supported XMPP server. I worked great for email, by the hell do you try to introduce walled gardens and cause pain to your users?

        • by dpilot (134227)

          Go ahead and choose your walled garden, I won't stop you.

          But from where I sit, it looks like everything that connects to the home is going to walled gardens, and open as an option is fading away.

          Serious proposal: Allow a "fast lane" by any/all ISPs. They've got such a hard-on for a fast lane that they're going to keep buying legislators until they get one. Then place a limit on it. The fast lane can only be X times faster than the "neutral net lane", and NO traffic shaping or limits are allowed on that

          • Go ahead and choose your walled garden, I won't stop you.

            But from where I sit, it looks like everything that connects to the home is going to walled gardens, and open as an option is fading away.

            Serious proposal: Allow a "fast lane" by any/all ISPs. They've got such a hard-on for a fast lane that they're going to keep buying legislators until they get one. Then place a limit on it. The fast lane can only be X times faster than the "neutral net lane", and NO traffic shaping or limits are allowed on that lane, other than being 1/X the speed of the fast lane. Plus X needs to be a legally asserted and testable value.

            Congrats on joining the chorus of uninformed on the net neutrality topic. That's not what they are proposing and not what will happen. Don't get me wrong, I think it's a terrible idea for other reasons... but the ISPs can't simply use it to block content. They could try but they'd end up in court so fast their heads would snap back.

            Traffic shaping will give some content priority. This will increase latency to content that doesn't pay. As you likely already know, for a normal website like slashdot, the laten

            • by dpilot (134227)

              Good point on latency, I forgot about that. What's worse is that streaming media can readily compensate for latency, as long as it's reasonably consistent. On the other hand, I work from home a fair amount, sometimes with vnc, sometimes with remote X. I'm a heck of a lot more sensitive to latency.

              But even if you regulate Netflix like a content provider, it still leaves Comcast jealous, because none of the effects of that regulation wind up in Comcast's pockets. The reality is that Comcast doesn't want t

        • I'm not talking about taking away your choice to be in a walled garden. I haven't suggested any method to stop you from logging onto Facebook and only using Facebook.

          But going with that example, I'm just suggesting that, as more and more of our communications get rammed into Facebook, and if Facebook doesn't have protocols to connect without outside systems, we're going to have a problem.

      • They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs. As far as I can tell, this was purely to thicken the walls on the garden.

        This is the problem with anyone becoming too big within an otherwise open space: there is no reason for them to play nice when they have de facto control. Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.

        I have said almost word-for-word what you just said about walled gardens (even using Compuserve and

        • Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.

          You haven't been using Facebook Messaging, recently ?
          The only reason it's not considered such by all is that they still tactfully manage to avoid calling it "E-Mail".
          But the set of functionality is very similar to any other webmail system (including attachement, etc.) minus the interoperability.

          • by Paco103 (758133)

            Yes, and I don't get flooded with Spam and Phishing, so I'm okay with it. And to be clear, there is a huge difference between spam and advertising. I don't mind advertising. It's clean and often targeted to something I may actually be interested in seeing or learning about. Spam on the other hand is a constant barrage of things that rarely even make sense, are only occasionally in a language I speak, and promise that a beautiful 10 right down the street from me is totally in to nerdy 5's, and I need to mess

          • Didn't they say they're going to drop it recently?

        • by Pi1grim (1956208)

          They did explain. You just didn't listen good enough. XMPP interoperability wouldn't let google force people into their services and would let people run third-party services and yet enjoy the luxury of communicating with those, who used Google as their one-stop-shop for all online needs. Clearly that had to be stopped. I'm expecting a similar move for GMail, only much swifter (those damn users are too used to the stupid idea of email being cross-server, not being locked-in).

        • They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs. As far as I can tell, this was purely to thicken the walls on the garden.

          I think it's obvious isn't it? The "Hangouts" product works in a fundamentally different way to XMPP. In particular, it's trying to be a WhatsApp competitor, which means users are identified by things which are not JIDs, like verified phone numbers and Google+ profiles. What's more the entire thing on mobile runs over the C2DM system

          • Anonymity? In this age of spying on everyone, perhaps a verified name or phone number is a liability.

          • by psyclone (187154)
            Features? It's great to have the server manage groups so when a new user of Team X gets added, all of Team X shows up in their roster. File transfer is simpler and more secure using XMPP+TLS than requiring the "cloud". Persistent chat rooms (ala IRC channels) are a great way to keep people collaborating. Even IDEs like Intellij can help collaboration by sending "File Z line N" code pointers or diffs that show up right next to the code your team is working on.

            That and by using OTR or trusting your own ser
          • by DdJ (10790)

            Or can you give me one good, solid reason why an ordinary person would want to use a non-Google XMPP server?

            Some employers provide on-site supported XMPP servers. Until recently, I've been able to use ours to collaborate with external partners on GTalk, using federation.

            Some vendors provide built-in XMPP servers as part of other products. I'm aware of one telephony platform that does so and one IT helpdesk service that does so. Using their servers enables certain useful features, like "they look like tex

        • They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs.

          I'm not asserting that was why they did it. I'm just saying that I could understand if that was why.

          It may be that if you could talk to the decision-maker inside of Google who made this decision, they'd tell you that XMPP is somehow inefficient, or it didn't offer features that they wanted. They might say that XMPP is poorly architected or something, and we might debate about whether their explanation made sense.

          What I'm saying is that, if there's some technical explanation like that, then I don't objec

      • by Kimomaru (2579489)
        I hadn't really thought of it that way, that we're moving back to walled gardens. It's kinda funny. Anyway, I guess people like the comfort and convenience of walled gardens. What really bums me out isn't that the large majority of people like them, but that highly technical people do as well. I know people who, no question, can install anything including an XMPP server on extremely cheap, low power consumption hardware and yet they don't bother. They find smartphones, Windows and Apple products too de
        • by Anonymous Coward

          Sure I could install my own XMPP server, no problem.

          Of course, if I want to have a conversation with anyone other than myself, then I'll still need Google/Apple/Skype whatever, because let's face it, nobody uses XMPP. Sad but true.

          • by Pi1grim (1956208)

            Universities, a lot of businesses, non-profits, all use XMPP because it's pretty mush the only solution that doesn't make you give up your information and can host inhouse (without costing an arm and a leg and forcing you into a vendor lock-in).

            Even if you give up and drop XMPP, you will still need to use Skype, Google, WhatsApp and whatnot (all of them, not just one), because my communication circle stretches across target audiences of all those messengers and there is no silver bullet (one ideal messenger

        • by Pi1grim (1956208)

          >> Anyway, I guess people like the comfort and convenience of walled gardens.

          People like comfort and convenience. Corporations love walled gardens, because they can use vendor lock-in to try and leverage their userbase into bringing more people into the same trap.

          Most people won't care who pays for the services they use until the information they provided will be used against them, or until they'll lose everything at a blink of an eye for violating some ToS, it'll be too late by then, but, well, some

        • by westlake (615356)

          What really bums me out isn't that the large majority of people like them, but that highly technical people do as well. I know people who, no question, can install anything including an XMPP server...

          Not everyone wants to be technician or engineer 24-7-365.

          • by Kimomaru (2579489)
            Joking? Don't need to be a 24-7-365 technician or engineer, any technical person knows this. Small, 5v server costs 80 dollars (cubieboard or cubietruck). Debian costs nothing. I run xmpp and mumble on it. System updates with cron. Can't remember when last I actually logged into it, it's just there and I use it. My toaster gives me more trouble.
          • by jabberw0k (62554)
            Who covers leap years? (24/7 is sufficient.)
        • I actually think there's a bit of a cultural problem in the tech community, in that the issue of "openness" has become polarized. On one side, you have people who think openness absolutely doesn't matter, and they seem to have no problem with the "walled gardens". On the other side, you have FOSS advocates who seem to have a militant agenda to replace everything with Debian.

          I would take the position that closed source software is fine, and in fact, it's good to have a diverse software ecosystem with diff

      • We really need a revolution soon, or I think we're going to find that we don't like where we end up. I know it sounds trivial because these are all free services, and most of what's communicated on them is trivial anyway. Still, it's transforming the Internet into a less free place, where we're all at the whim of a small handful of companies. I think it's a bigger problem than we've yet realized.

        (Shrug) The next revolution will be co-opted to sell ads, just like the last one was. I don't know what we need,

      • by dj245 (732906)

        You know, I can understand why Google might decide that XMPP isn't sufficient for the kinds of features they'd like to support, and so deciding to develop something new in-house with their desired feature set. I really wish, though, they they would open a protocol that still allowed outside people to communicate.

        I just find it insane how much we're moving back in the direction of "walled gardens" everywhere. There was a time when most people's exposure to online interaction were services like Compuserve, AOL, and Prodigy, and those services couldn't talk to each other. I think we're headed back in that direction, except that soon we'll all be on services like Google+, Facebook, and Twitter, and those services won't talk to each other.

        We really need a revolution soon, or I think we're going to find that we don't like where we end up. I know it sounds trivial because these are all free services, and most of what's communicated on them is trivial anyway. Still, it's transforming the Internet into a less free place, where we're all at the whim of a small handful of companies. I think it's a bigger problem than we've yet realized.

        Nobody has really made a service or software where an open standard was easy to use. Case in point- video calls. There are a lot of free alternatives out there, some seem to work OK, other seem to not work so well. None of the alternatives are easy to use however, so Skype is what we use. I would prefer to use a more open platform, but I have better things to do with my time than troubleshoot such a system for hours.

        • You're conflating a lot of different issues. First, video calls are notoriously painful for various reasons. So let's just get that out of the way: it wouldn't be weird if you were having lots of problems with Skype, too.

          Second, there's nothing inherently inferior about "open". If Skype were to publish a spec for how they negotiate video calls, then suddenly we have an open protocol that's as good as Skype. It's not suddenly worse because it's "open".

          Third, there's a difference between a "protocol" an

        • SIP is a good protocol. There aren't very many great clients, but ekiga always worked fine for me.

  • by TrentTheThief (118302) on Tuesday May 20, 2014 @08:33AM (#47045263)

    Google is acquiring all of the arrogant bullshit attitudes and implementing arbitrary rules and standards just the same way that microsoft did.

    It's a sad shame. But an evil empire smells not different from an empire that's rotting.

    • You're gonna have to explain that. They currently are behind development of the most popular (And open source!) mobile OS out there, the most popular (and "mostly" open source) desktop browser out there, the most popular (in the west) search engine out there, and one of the most popular (and very open) email systems out there.

      It's notable that they continue to be a voice of reason in the security world (with this being a notable exception), having given very solid reasons for why they dont do security thea

      • by Anonymous Coward

        They currently are behind development of the most popular (And open source!) mobile OS out there

        ... which is getting progressively less open, as more and more things move from the OS proper to Play Services (which is both closed and heavily license encumbered.)

        , the most popular (and "mostly" open source) desktop browser out there

        ... which has forked its rendering engine, no longer uses standard widget toolkits, and incorporates a number of proprietary extensions (like DRM for HTML5 video).

        and one of the most popular (and very open) email systems out there.

        ... which is a meaningless phrase, since it's just as "open" as every other functional e-mail service. Outlook.com is every bit as open, and every bit as closed as GMail.

        • ... which is getting progressively less open, as more and more things move from the OS proper to Play Services (which is both closed and heavily license encumbered.)

          Utter bull. Play store is included with AOSP. THe service itself is hosted, and most certainly not a "part of the OS" (particularly as you are able to side load and install third party stores, like Amazon's).

          The Blink rendering engine was forked because it was being developed by Apple with a lot of apple-specific stuff, like the Safari-only JS engine (which chrome never used), and it made zero sense to continue to be tied down. Blink does, however, remain open source, so im not clear what your beef is.

          • Looks like I was wrong-- there actually isnt a way to export from Outlook.com. You can use the Outlook client to pull everything and then create a PST, but they dont actually offer a way out without a client.

            The comparison is ridiculous.

          • Play store is included with AOSP

            Since when? I thought the Google Play Store client was the one app not included with AOSP. As I understand it, the Google Play Store client is lawfully available only as a preinstalled app on devices manufactured by OHA member companies. If you're an OHA member, you can't manufacture Android-fork for other companies, and all Android devices that you make must conform to the CDD. In the early days of Android (1.x and I think early 2.x), all devices had to include a working cellular modem, which ruled out an

            • Im running cyanogenmod with Play services. Theres a cryptographically-signed zip file you install which provides the services. I believe the restriction is on distributing it as a whole, and /or based on the fact that Cyanogenmod ISNT signed.

              The restriction on android, AFAIK, is that you cant label a phone as "Android by Google' or anything like that without signing onto their program.

              Restrictions on hardware dont bother me: theyre attempting to make it reasonable to create apps. Compromises over screen

              • Compromises over screen size are hardly an indication of being "less open"; im not even sure what "evil" spin you could put on that.

                If the screen size never changes, then it's impossible to have two applications on the screen at once. This means apps run all maximized all the time despite a 7" tablet's screen being big enough for two phone apps, and if you want to see two apps running at the same time, you have to pay for twice as many devices.

              • by Andy Dodd (701)

                In short, Play Store is NOT included with AOSP.

                CM received a pretty nasty cease-and-desist letter from Google regarding gapps a few years ago. The "workaround" was that users could exctract the gapps suite from their device and reinstall it.

                And yes, the current approach doesn't quite meet that legal definition, but what is protecting CM (and other projects) is that *they are not hosting gapps* - have you noticed that for any project, when you're instructed to get gapps, you're routed *elsewhere*?

                Kinda scre

              • by Pi1grim (1956208)

                Well, google sued CM to stop them distributing GPlay. And you can't sell any device with GPlay on it, if Google doesn't give OK for that and you don't negotiate some secret terms and pass their "certification".

                And yes - Google Play Store is NOT included in AOSP and doesn't ship with AOSP or any derivatives, unless manufacturer passed the certifications, details of which are discussed on a per-case basis with Google and are subject to NDA.

              • You are running Play because your phone came with Play, and the Cyanogenmod installer copies it from the stock image before installation.

                Play most assuredly is not part of AOSP.

          • by chihowa (366380) *

            Utter bull. Play store is included with AOSP.

            Utter bull, indeed.

            You're referring to the entirely closed-source bundle that you download from the not-at-all-sketchy-sounding site, goo-inside.me, right? The one that's signed with a self-signed certificate?

            The same Google Apps that increasingly contains closed source versions of what used to be open source OS components [arstechnica.com]? Yeah, I'm not sure what "evil" spin you could put on this totally "open" behavior of Google's...

      • In a lot of ways, Google continues to be a prime example of a company that "gets it" (when its not pushing failed social networks). Theyre embracing security, encryption, mobile computing, and wearable tech (which is coming whether anyone wants it or not). Im not clear in what sense you could consider them to be "rotting".

        The GP was comparing Google too Microsoft. He meant that Microsoft is "rotting", not Google. But was making the point that Google "smells" the same, because while they may not be rotting, they are clearly just as evil.

        • Yea, opensourcing all of that stuff, contributing to Linux, and offering exit strategies from their ecosystem ("heres a zipfile with all of your data!") is super evil.

      • by Anonymous Coward
        Google is racing to close every facet of Android they conceivably can.
        Their browser may be mostly open source, but they certainly have evil intentions within (ie. search from address bar)
        Their search engine being the most popular has nothing to do with their evil motives. Nothing about the search engine is "open" and it is certainly driven by ads and data mining.
        How is gmail very "open"? Open in the sense that the content of every message is waded through for valuable statistics/data on you and the other
      • by Kimomaru (2579489)
        Going to have to disagree. "Mostly" open source can be as much of a problem as no open source at all. It depends on what parts they don't subject to public scrutiny, no? Also, not sure why you would mention how popular a platform is as it is irrelevant to the central issue. Something can be popular and terrible. The biggest problem is that companies can afford to do whatever they like and be altruistic when they're small and struggling, but when they become giants they must inevitably play by a differe
      • by Pi1grim (1956208)

        >> They currently are behind development of the most popular (And open source!) mobile OS out there,

        And they are quietly dragging all the open source parts into closed source framework called Google Services, trying to create a vendor lock-in for the apps, so that it's impossible to run software on AOSP without Google Services Framework, which is closed source and completely controled by google. Messaging app is gone (hangouts to the rescue), so is Gallery (hello Google+ Photos, yuck) and a lot of oth

  • by Anonymous Coward on Tuesday May 20, 2014 @08:34AM (#47045269)

    Why is why Google will drop XMPP. You can use plugins for true end-to-end encryption. This disallows Google from reading your chats which it will never stand for.

    • I got the impression that they were dropping XMPP because it wasnt "Google+".

      I also wonder whether theyre gonna change their stance now that theyre no longer going whole-hog on G+ integration with everything.

    • They both server different goals.

      Server encryption, helps securing the service.
      But it doesn't address privacy. (the channel is only secured between 2 servers, or between a client and a server).

      End-to-End encryption (like OTR) is for privacy.
      It make sure that, no matter what, the message will stay encrypted during the whole transit between one user to the other user.
      Even during the time spent on servers, an OTR-encrypted message is still useless and not eavesdropable.

  • by nimbius (983462) on Tuesday May 20, 2014 @08:36AM (#47045281) Homepage
    Google is pretty well seated in the back pocket of the US government. Even if they were to endorse TLS it doesnt preclude them from silently forwarding all your conversations to the NSA.
    Voluntarily ceasing to federate is the logical conclusion to a software project run by people who care about their users, so nothing special here. However, voluntarily ablating yourself from Google, Facebook, Twitter, snapchat, and other "social" sites is probably a longterm goal to which we should all strive.

    adblock, noscript, and ssl everywhere are all valid tools. For Android users AdAway can be found on F-Droid.org. Your alternative search engine is Duckduckgo.com, and although its nowhere near as powerful openstreetmaps can be used in place of google maps quite often. Alternative free email can be found at freeshell.org (it includes webmail too.) Use unbound for DNS recursion instead of Google, or use www.opennicproject.org.
    • Unless NSA stands for National Sales and Advertising I'm not sure they are the ones I would worry about. Google does an awful lot of targeted advertising.

  • No one ever expected Google to make the transition from evil to incompetent so quickly. There must be some chairs flying in the boardroom of Microsoft.
    • You're going to have to explain how being behind the most popular
        * Smartphone OS
        * Desktop browser, and
        * Search engine

      Makes one incompetent. Their market share of those things isnt declining, either.

  • Use Retroshare.

    • Mom uses skype to talk to her friends. Mom asks why I'm not on skype because she wants to talk to me. Thus I'm running skype again.

      But that's OK, she doesn't have my retroshare pgp pubkey. Nobody has the precious retroshare pgp pubkey. Trust no-one. My precious.

      --
      .PRECIOUS: theprecious %.gpg

      .PHONY: hobbitses
      hobbitses:
      find $(HOME) -name '*.gpg' -exec sudo tar --remove-files rf /root/pocket.tar {} +
      • but you're supposed to share the precious gpg pubkeys! At one time, Slashdot made it easy to for slashdotters to share the precious pubkeys with a field in the profile for them. You can access them at http://slashdot.org/~username/... [slashdot.org], but apparently they removed the field from the profile, so you can't change it if you revoke the old key and new users can't add theirs.

  • We have a chat system at work, based upon xmpp. In the set up of my account it says 'encryption required'. Does this mean only my chat buddies can see the messages, and my employer cannot read those chats?
    • by omnichad (1198475)

      If this is a serious question, it only means you can't sniff the messages from any network port in promiscuous mode. If work owns the server, then they have access to everything.

    • by Pi1grim (1956208)

      The encryption you are talking about is client-to-server, the encryption the article is talking about is server-to-server. If both are on, the only parties who know about the content of chats is:
      1 You
      2 Whoever you are messaging
      3 Server

      To drop the server from the list, you will need end-to-end encryption. Like OTR or GPG.

  • How is certificate validation done? The server setup documentation mention no CA repository is to be configured, which suggests no validation is done.

    And TLS without certificate validation is vulnerable to easy Man In The Middle attacks. It is barely more secure than plain text commuications

I cannot draw a cart, nor eat dried oats; If it be man's work I will do it.

Working...