Bobboz - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How do XMPP standard changes help secure instant messaging?

Updates to the XMPP standard are changing the state of security for instant messaging. Michael Cobb explains what this means to enterprise IM security.

Can you please explain the changes to XMPP and how they are expected to boost instant messaging security in the enterprise?

The Extensible Messaging and Presence Protocol or XMPP is an open standard for instant messaging and real-time communications. The core technology behind XMPP was formalized by the IETF in 2003, having been originally created by Jeremie Miller and further developed by the Jabber open source community.

Channel encryption using SSL/TLS has only ever been optional on the Jabber/XMPP network. However, as part of a drive to make XMPP more secure, a large number of instant messaging services that use the XMPP standard have committed to encrypting all client-to-server and server-to-server connections from May 19, 2014, onwards, with many XMPP services no longer accepting unencrypted connections.

The XMPP Standards Foundation (XSF) manages the open standards process of defining new XMPP extensions, and this commitment to encrypted connections is a necessary precondition to offering further security improvements and complete end-to-end encryption. This move also delivers an immediate boost to enterprise instant messaging security as it protects IM conversations from unauthorized surveillance and enables service providers to make backdoor IM surveillance more challenging. It is similar to the growing trend towards delivering the entire contents of a website via HTTPS as a means of improving privacy. Google, for example, is making HTTPS the default for its online applications, and PayPal is already an HTTPS-only website.

Enterprise network administrators who manage in-house IM servers should certainly follow the XSF's lead and encrypt all IM traffic as well as implement strict encryption measures on all other network traffic. Instructions to secure XMPP client and server connections for all the popular XMPP server software are available on the XMPP wiki. The three main steps are:

  1. Acquiring a server certificate
  2. Disabling plaintext connections
  3. Testing the new configuration

Server administrators can also check the security of their XMPP servers using the free IM Observatory service.

Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)

Next Steps

Learn more about instant messaging security essentials and the latest IM security issues, risks and tools.

This was last published in December 2014

Dig Deeper on Email and Messaging Threats-Information Security Threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is your organization following the new XMPP standards?
We are following the new XMPP standards due to its many under lying benefits. XMPP is an open protocol and employes an open arrangement approach of development and application. Everyone can enforce an XMPP service and inter-operate with other organizations implementations. At the same time, since it is an open protocol, it’s possible to develop implementations using any software license, and I have a choice to control access to my data and services.