Mandatory Encryption on XMPP Will Not Work

Why do I know this, and why do you trust me?

I have been down this road. I lead the security design for the IM solution that my previous employer worked up. Before I looked at the code, they were already slated to ship on an impossible timeline. Once I required the encryption methods to change, everyone went crazy because it was the week before shipping. The encryption was being done the wrong way. The way that is specified in the XMPP Specification; “STARTTLS.

How do we do it correctly then?

Now that is a good question to ask. Ideally, you stay far, far, far away from STARTTLS. Again its not the best design and its easy to get crypto stripped off and the work-around to protect against it is annoying at best. So the ideal way is to actually do something very simple, use a SSL/TLS tunnel to start with and write your client to actually enforce the proper TLS certificate. Much in the way that Google has Chrome enforce their certificate. That would really only leave to types of people to be able to crack the stream, those that never changed their Private Keys after Heartbleed and those that work for the US Government.

--

--

Jack of All Trades. Master of NULL.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Charles Timko

Charles Timko

Jack of All Trades. Master of NULL.