We are "patient" zero, so we hardened ourselves!

May 26, 2017 - 2 minute read - Story

Security Promotion - Mandatory TLS Connection for XMPP

Security Promotion: Mandatory TLS Connection for XMPP

Although, according to RFC7590 “Use of Transport Layer Security (TLS) in the Extensible Messaging and Presence Protocol (XMPP)”, TLS was recommended for XMPP connection. But it is not mandatory. Despite the consensus to switch XMPP on mandatory encryption reached by XMPP communities on 2014, there are still some XMPP service providers support non-encrypted connection as a fallback along with TLS.

This will probably lead to some security risks. For example, in some cases, certain client will try to connect server automatically without any encryption when they failed to enable TLS. But user is usually not noticed, or even have no idea about what is TLS. And next, all the messages will deliverd by cleartext through the network.

xmpp.jp once deal with the connection like that. We tried to contact their administrator on the early of this year, to require switch to the mandatory TLS. We got the reply message on 16 Mar 2017. They promised to change settings at next maintenance.

On 29th Apr, we found there is a service outage due to maintenance. But it still allow non-TLS login and communication after service coming back. We contact them again with email and got feedback message immediately, in which they explained that the switch will happened in one week as the plan.

On 08 May 2017, we experienced another round of service down. Then we found xmpp.jp had already switched to mandatory TLS connection, which was confirmed by testing with Psi+. At the same time, the administrator sent us a message - “done.”, and we replied to show our thanks.

By that time, the task has been finished. It is really a smooth and pleasure communitcation, although the duration of whole process is a little bit long.

We will engage in more promotion actions in future to keep improving the security of free software related services by finding potential weakness, and then trying to get connection with service providers.