Security related FAQ

How can I protect myself from my server?

Whatever level of trust you place in your server operator, you may take additional measures to protect your privacy. For example, reaching your server over Tor or a VPN will protect your geolocation from your server or any observer in between. Additionally, encrypting your messages with OMEMO or PGP will protect the content of your communications from your server, and the server of your recipient.

How can a malicious server impact me?

A malicious server is a big deal, as with other federated networks (like the Fediverse or email). A malicious server can:

  • read your unencrypted messages
  • see the list of your contacts and group chats (and other non-chat groups/communities)
  • read a history of your previously received/sent messages (if archiving is enabled on the server, and usually only for a certain time), and read your new incoming messages
  • prevent you from receiving or sending messages
  • send messages to other servers/users impersonating you

This list may sound scary at first, but this security model is similar in most federated networks. The concept of federated networks is a server is responsible for many users and acts on their behalf from the point of view of other users.

Note that a malicious server does not necessarily mean a malicious server operator. Servers get compromised and that's why we also promote good security practices for the server.

What are other threats I should be aware of?

If your server is not compromised, you should still be aware that:

  • your correspondent's server may be compromised, in which case your unencrypted communications with this correspondent may still be inspected/modified/blocked
  • some public services (like chat rooms) publicize every member's Jabber address ; in this case, you may receive unsolicited messages from other users even after you leave the chatroom (in pseudonymous rooms, other users can only contact you as long as you are in the room)
  • pseudonymous public services will still reveal your Jabber address to their operators and administrators; additionally, chat servers implementing occupant-id (XEP-0421) will associate a unique ID per room to your address, even if you join under a different nickname, so other users may recognize you (but not identify you) ; if you'd like to protect against that, you may create another Jabber/XMPP account to interact with such services.
  • use of vcard avatar images can identify you across multiply pseudonymous group-chats even if using different names in each one
  • most clients publish presence information (online, away status messages) by default, which may be used to correlate different identities of yours (eg. who come online/offline at the same time) or to spy on your schedule ; this can be easily disabled in most Jabber/XMPP clients, so don't hesitate to tell your client developers privacy should be the default!
  • a passive observer on the network may record the network activity between you and your service provider, and try to correlate your network activity with your pseudonymous identity
  • a passive observer on the network may discover you are connecting to a specific service provider by snooping on your DNS requests and/or TLS SNI headers
  • an active attacker on the network can try:
    • a downgrade attack to force less-secure communications with your service provider
    • to impersonate your service provider, with a TLS certificate approved by a well-established Certificate Authority
  • your Jabber/XMPP client may store some information unencrypted on your system, such as your username/password or a history of your messages ; most clients can be configured not to do that

Should I choose a service provider specifically aimed at activists?

If you are taking part in political dissent for social change, you may consider acquiring an account on a self-organized, activist-friendly hosting cooperative. These will usually ignore foreign legal requests to give away your data, but be aware they may still be compelled by their own local authorities to rat on users. Also, you should be aware radical servers promote security of social struggles, but will actively ban fascist sympathisers, crypto-scammers and other users engaged in harmful behavior for our communities. Script kiddies of the world, please run your own servers, you may learn a thing or two.

When using a non-profit service provider who does not take extra measures to protect their users' privacy, please keep in mind they are usually run by small communities, who may choose to collaborate with law enforcement agencies as they may not have the resources to fight in court and provision new servers in case of hardware seizure.

Finally, there may be advantages to having an account on a popular server. Depending on your threat model, an account on a big, popular server may help hide your metadata in the masses of connections to/from that server.

Security audits

Most of the Jabber/XMPP ecosystem has not been audited for security. Conversation's encrypted OMEMO chats were audited in 2016. On the server side, prosody and ejabberd don't have a public security audit available, but have very little vulnerabilities (apart from DOS vectors) found over the years (ejabberd, prosody).

If a security audit is important to you, feel free to provide or finance security audits for parts of the ecosystem. Notably, some prosody server developers have expressed the desire to be audited. If a comprehensive security audit is a requirement to you, and you don't have skills/resources to contribute that, please consider using alternatives to the Jabber/XMPP ecosystem such as Signal (last audit in 2017), Briar (last audit in 2017) or Threema (last audit 2020).

Who develops Jabber/XMPP? Will it be blocked in my country?

The XMPP/Jabber ecosystem is developed and run by a global network of volunteers and small organizations, although there are also big multinationals and governments relying on it. As of writing this, most of the free XMPP ecosystem volunteers reside in central Europe, but there are contributors from all over the world. While it is highly unlikely that a government would block the whole XMPP protocol (which is used for many things), it is entirely possible that they block specific servers, or block client connections to foreign servers, as is the case with many services going through China's Great Firewall for instance.

However, even though it is unlikely that Jabber/XMPP is blocked by your government, it is entirely possible that they monitor and record your connections, which is information that may be used against you.

In the most extreme cases, it is possible for a network operator (or government order) to block the Jabber/XMPP network entirely. In this case, using censorship-circumvention mechanisms like Tor can help you stay in touch. However, please be aware that circumventing government censorship may be a criminal offense where you reside, and you may end up having trouble with your local authorities if they find out.