Bobboz - Fotolia
Can you please explain the changes to XMPP and how they are expected to boost instant messaging security in the enterprise?
The Extensible Messaging and Presence Protocol or XMPP is an open standard for instant messaging and real-time communications. The core technology behind XMPP was formalized by the IETF in 2003, having been originally created by Jeremie Miller and further developed by the Jabber open source community.
Channel encryption using SSL/TLS has only ever been optional on the Jabber/XMPP network. However, as part of a drive to make XMPP more secure, a large number of instant messaging services that use the XMPP standard have committed to encrypting all client-to-server and server-to-server connections from May 19, 2014, onwards, with many XMPP services no longer accepting unencrypted connections.
The XMPP Standards Foundation (XSF) manages the open standards process of defining new XMPP extensions, and this commitment to encrypted connections is a necessary precondition to offering further security improvements and complete end-to-end encryption. This move also delivers an immediate boost to enterprise instant messaging security as it protects IM conversations from unauthorized surveillance and enables service providers to make backdoor IM surveillance more challenging. It is similar to the growing trend towards delivering the entire contents of a website via HTTPS as a means of improving privacy. Google, for example, is making HTTPS the default for its online applications, and PayPal is already an HTTPS-only website.
Enterprise network administrators who manage in-house IM servers should certainly follow the XSF's lead and encrypt all IM traffic as well as implement strict encryption measures on all other network traffic. Instructions to secure XMPP client and server connections for all the popular XMPP server software are available on the XMPP wiki. The three main steps are:
- Acquiring a server certificate
- Disabling plaintext connections
- Testing the new configuration
Server administrators can also check the security of their XMPP servers using the free IM Observatory service.
Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.