Secure Instant Messaging With Jabber

With the abundance of IM (Instant Messaging) services available on the Internet its easy to start using a service because you already have an account. For example, MSN, Yahoo!, and Aol all have chat protocols that you can use to talk to your coworkers, friends, and family. However, In the default configurations chat communications are not secure because:

They do not use encryption - Most protocols, by default, do not encrypt the username and password, nor do they encrypt the data in transit. This means that anyone with a network sniffer, especially on a wireless network, can intercept your logon credentials and chat communications.
There is no identity assurance - Who is to say that you are really talking to your friend "Bob" via instant messaging? How do you know if the latest request to add a user to your contacts list is really that user? I always ask for additional authentication when adding users to my contact list, such as a PGP signed email, because the protocols do not include anything of this nature by default.
Your data goes through 3rd party servers - When you use online chat services your information, such as all of your chat communications, goes through several servers located on the Internet. If one of these servers were to become compromised in any way, your chat communications could become public.

OSHEAN members technical and security folks are all welcome to use the OSHEAN Jabber server. We verify each registration and solve the problems above with the usage of Jabber:

Jabber is encrypted - All Jabber communications are encrypted from the client to the server hosted at OSHEAN.
User verification - OSHEAN staff verifies each user added to the Jabber server.
Your data never leaves the OSHEAN network - By using a local Jabber server you chat communications never go through 3rd party servers when chatting with OSHEAN members who have accounts on our server. To get an OSHEAN Jabber account please email tech /at/ oshean.org.

We also recommend that in addition to using Jabber as your communications protocol that you also use OTR (Off-The-Record) which will encrypt your chat sessions using public/private key encryption technology. This further protects you from data snooping, and provides assurance that you are really talking to "bob".

The Internet2 Presence and Integrated Communications Working Group Promotes Jabber for many of these very same reasons and are using it to promote communications. You can sign up for a demo of what the PIC group has been working on which uses the Jabber technology.

Be the first to rate this post

Currently 0/5 Stars.
1
2
3
4
5

Posted on April 21, 2008 03:01 by Paul Asadoorian
Tags:
Categories: Security
Actions: E-mail | Permalink | Comments (0) | Trackback

One Person's Answer To The Software Security ProblemNetwork Security Podcast - Episode 103 AppearanceLatest Security Presentations & Resources

Add comment

Name*
E-mail*
Website
Country Country flag

Comment* [b][/b] - [i][/i] - [u][/u]- [quote][/quote]

Notify me when new comments are added

Live preview

November 18. 2008 23:14

Secure Instant Messaging With Jabber

Related posts

Add comment

Live preview

Authors

Tags

Categories

Archive Contact Feed Sign in		Secure Instant Messaging With Jabber With the abundance of IM (Instant Messaging) services available on the Internet its easy to start using a service because you already have an account. For example, MSN, Yahoo!, and Aol all have chat protocols that you can use to talk to your coworkers, friends, and family. However, In the default configurations chat communications are not secure because: They do not use encryption - Most protocols, by default, do not encrypt the username and password, nor do they encrypt the data in transit. This means that anyone with a network sniffer, especially on a wireless network, can intercept your logon credentials and chat communications. There is no identity assurance - Who is to say that you are really talking to your friend "Bob" via instant messaging? How do you know if the latest request to add a user to your contacts list is really that user? I always ask for additional authentication when adding users to my contact list, such as a PGP signed email, because the protocols do not include anything of this nature by default. Your data goes through 3rd party servers - When you use online chat services your information, such as all of your chat communications, goes through several servers located on the Internet. If one of these servers were to become compromised in any way, your chat communications could become public. OSHEAN members technical and security folks are all welcome to use the OSHEAN Jabber server. We verify each registration and solve the problems above with the usage of Jabber: Jabber is encrypted - All Jabber communications are encrypted from the client to the server hosted at OSHEAN. User verification - OSHEAN staff verifies each user added to the Jabber server. Your data never leaves the OSHEAN network - By using a local Jabber server you chat communications never go through 3rd party servers when chatting with OSHEAN members who have accounts on our server. To get an OSHEAN Jabber account please email tech /at/ oshean.org. We also recommend that in addition to using Jabber as your communications protocol that you also use OTR (Off-The-Record) which will encrypt your chat sessions using public/private key encryption technology. This further protects you from data snooping, and provides assurance that you are really talking to "bob". The Internet2 Presence and Integrated Communications Working Group Promotes Jabber for many of these very same reasons and are using it to promote communications. You can sign up for a demo of what the PIC group has been working on which uses the Jabber technology. Be the first to rate this post Currently 0/5 Stars. 1 2 3 4 5 Posted on April 21, 2008 03:01 by Paul Asadoorian Tags: Categories: Security Actions: E-mail \| Permalink \| Comments (0) \| Trackback Related posts One Person's Answer To The Software Security ProblemNetwork Security Podcast - Episode 103 AppearanceLatest Security Presentations & Resources Add comment Name* E-mail* Website Country Comment* [b][/b] - [i][/i] - [u][/u]- [quote][/quote] Notify me when new comments are added Live preview November 18. 2008 23:14 Authors TimRue (1) GeorgeLoftus (13) AlisonFerreira (1) Paul Asadoorian (17) Tags big broadband carriers cf08 community forum community forum 08 digital citizen p2p Categories Community Forum 08 (5) Events (1) P2P, Big Broadband (1) Security (5) Shore Patrol (1)