20 May 2014

Encryption Now Mandatory for XMPP-Based Services

Over 70 XMPP-based service operators and software developers have permanently upgraded to encrypted connections to secure users’ communications and prevent traffic sniffing, according to  Prosody, an XMPP communications server.

The Extensible Messaging and Presence Protocol, known as XMPP, is a set of open technologies used in instant messaging, multi-party chat, voice and video calls and generalized routing of XML data.

The XMPP Standard Foundation (XSF) encourages operators to encrypt all XMPP connections for client-to-server and server-to-server connections. To do so, operators need to get a server certificate, disable plain-text connections between severs and client-connections, and test their XMPP security.

The decision cannot be enforced to the entire network, as XMPP services and independently operated. “While XMPP is an open distributed network, obviously no single entity can ‘mandate’ encryption for the whole network – but as a group we are moving in the right direction,” Prosody writes.

The XSF also plans to adopt other security improvements, including ubiquitous authentication, secure DNS, and end-to-end encryption.

XMPP-based software is deployed widely across the Internet and, by 2003, was used by over 10 million people worldwide, according to the XMPP Standard Foundation.