XMPP Instant Messaging Security: Present and Future
Increasingly, many people are using solutions based on the XMPP protocol (Jabber) for instant messaging, in varying degrees, abandoning ICQ. This approach, of course, is correct due to the openness of Jabber - everyone can choose which server to use for him or even organize the work of his own. Also, XMPP has proven itself in the corporate environment and many companies have been successfully using Jabber for several years along with e-mail to exchange information.
It is generally accepted that communication solutions based on the Jabber protocol are the least vulnerable in terms of information security. In this article I will try to analyze whether this is actually so and what real prospects XMPP has in this direction. The issue will be considered in the context of using the protocol for messaging both for personal purposes on public and private services, and in corporate settings.
Jabber for personal communication
For personal communication, Jabber began to be used massively relatively recently, which causes the actual absence of commercial spam (or spim in the terminology of the XMPP Standards Foundation). I specifically focused on the absence of commercial spam, because at the moment there are single mailings on large jabber-servers, which are organized using Python scripts by “schoolchildren” just for fun and are not aimed at promoting any goods and services. In the near future, commercial spam may appear in Jabber, but it should not receive mass development like in ICQ. The premise of this is well written in this post.
XMPP is an open and extensible protocol that does not limit developers in writing all kinds of shapers and filters. So on qip.ru jabber-server URL- and JID-filters function successfully, and on jabber.ru you can enable muc-filter in your conference using a third-party service (bot). In addition, Jabber has the ability to activate privacy lists, allowing the user to regulate the receipt of messages from contacts, including not from the roster.
It should be noted that XEP-0159 exists and is developing that describes methods for blocking spam messages.
At the moment, the problem of flood attacks in Jabber is still relevant. At the same time, such attacks on a specific user JID are difficult, firstly because of shapers that limit the amount of transmitted information per unit time on the server side, and secondly, due to the possibility of using privacy lists.
Attacks at a jabber conference are gradually becoming a thing of the past - you can fight them by enabling captcha protection in the room settings (if the server supports this functionality). However, there is a flip side of the coin - with multiple captcha requests, there may be a denial of service of the captcha generation service itself (which will make it impossible to log into all the chats on the attacked server that are protected in this way), and the nodes as a whole.
One of the most popular Ejabberd jabber-servers “out of the box” stores passwords in the clear, but when using ODBC it is possible to store passwords in the form of an md5 hash (using this patch, for example).
Malicious software that compromises user passwords from JID is very small. Typically, these are modifications of various open source clients that are distributed via mailing lists in popular jabber conferences. Recently, a malicious modification of the popular mobile jabber client Bombus was discovered, which sends the entered JID and password to a specific e-mail (Trojan-PSW.J2ME.Bomzuz.a in the classification of Kaspersky Lab). In this case, users can only be advised to beware of such modifications and download client programs only from official / trusted resources.
Almost all currently existing jabber-servers are in no way protected from brute force attacks, which are not yet massively observed, but in principle are possible. This situation is fixable - temporary blocking will help to solve the problem, limiting the number of password attempts.
Almost all large servers have the ability to establish secure connections using ssl / tls encryption, which eliminates the possibility of intercepting passwords and correspondence. Encryption is also easy to set up on your own server.
Some time ago, in ICQ it was also possible to enable secure data transfer, but after the purchase of this service by Mail.Ru Group holding this function stopped working. This is due to the fact that AOL did not sell the implementation of this feature.
Some client programs allow using a special plugin to additionally encrypt the transmitted information using GPG and OTR. At the same time, it is necessary that such a plugin be installed for both interlocutors.
Jabber as a communication tool in a corporate environment
When using Jabber in an enterprise environment, various services with unlimited external access (jabber conferences, transports, vcard search service - vjud) pose a potential threat.
Jabber-conferences, of course, a very convenient means of communication. However, quite often, administrators of corporate xmpp servers forget to block access to conferences on s2s (that is, to users of other servers) and important corporate information may appear in the public domain. Also, attackers can organize a flood attack of conferences on an insecure service, which subsequently can lead to a denial of service for the xmpp server as a whole.
Transports open to users of all servers can help attackers hide their real IP (for example, if a third-party user logs in to an IRC transport, he will log into IRC chats from the IP that has the enterprise jabber server). In the case of other vehicles (ICQ, MRA, etc.), third-party users can create an extra load, thereby reducing the fault tolerance of the service.
The greatest danger is open for public access search services for data from a business card (vjud). Very often the jabber server takes data for vcard from internal sources (when using LDAP, for example) and as a result, vcard may contain closed information about the employee (personal and business e-mails, phone numbers, department name and even home address). Attackers can organize an automated search through vjud for popular names and surnames, thereby obtaining data intended for official use).
Administrators of corporate jabber-servers need to closely monitor the launched modules and disable or block access to unused services.
Administrators of both corporate and private servers need to be more attentive to the policy of registering new users. In the case of a corporate server, open registration must be prohibited altogether, since the employee’s account must be set up by the administrator at the time he is accepted for work along with other internal accounts. In the case of a private server, it is advisable to either limit the registration of new accounts (for example, using captcha), or disable this feature.
Summary
Despite the growing popularity of the Jabber protocol, threats are still non-profit. However, in the near future it is possible to activate commercial spam messages, as well as messages containing malicious links. However, due to its extensibility, the protocol allows it to effectively counter such threats and minimize the likelihood of end-users getting inappropriate content.
Jabber as a corporate communications tool is fairly safe and reliable, but server administrators should carefully monitor the level of access to services.
It is generally accepted that communication solutions based on the Jabber protocol are the least vulnerable in terms of information security. In this article I will try to analyze whether this is actually so and what real prospects XMPP has in this direction. The issue will be considered in the context of using the protocol for messaging both for personal purposes on public and private services, and in corporate settings.
Jabber for personal communication
Unsolicited Messages
For personal communication, Jabber began to be used massively relatively recently, which causes the actual absence of commercial spam (or spim in the terminology of the XMPP Standards Foundation). I specifically focused on the absence of commercial spam, because at the moment there are single mailings on large jabber-servers, which are organized using Python scripts by “schoolchildren” just for fun and are not aimed at promoting any goods and services. In the near future, commercial spam may appear in Jabber, but it should not receive mass development like in ICQ. The premise of this is well written in this post.
XMPP is an open and extensible protocol that does not limit developers in writing all kinds of shapers and filters. So on qip.ru jabber-server URL- and JID-filters function successfully, and on jabber.ru you can enable muc-filter in your conference using a third-party service (bot). In addition, Jabber has the ability to activate privacy lists, allowing the user to regulate the receipt of messages from contacts, including not from the roster.
It should be noted that XEP-0159 exists and is developing that describes methods for blocking spam messages.
Flood attacks aimed at user or conference JIDs
At the moment, the problem of flood attacks in Jabber is still relevant. At the same time, such attacks on a specific user JID are difficult, firstly because of shapers that limit the amount of transmitted information per unit time on the server side, and secondly, due to the possibility of using privacy lists.
Attacks at a jabber conference are gradually becoming a thing of the past - you can fight them by enabling captcha protection in the room settings (if the server supports this functionality). However, there is a flip side of the coin - with multiple captcha requests, there may be a denial of service of the captcha generation service itself (which will make it impossible to log into all the chats on the attacked server that are protected in this way), and the nodes as a whole.
Password Security
One of the most popular Ejabberd jabber-servers “out of the box” stores passwords in the clear, but when using ODBC it is possible to store passwords in the form of an md5 hash (using this patch, for example).
Malicious software that compromises user passwords from JID is very small. Typically, these are modifications of various open source clients that are distributed via mailing lists in popular jabber conferences. Recently, a malicious modification of the popular mobile jabber client Bombus was discovered, which sends the entered JID and password to a specific e-mail (Trojan-PSW.J2ME.Bomzuz.a in the classification of Kaspersky Lab). In this case, users can only be advised to beware of such modifications and download client programs only from official / trusted resources.
Almost all currently existing jabber-servers are in no way protected from brute force attacks, which are not yet massively observed, but in principle are possible. This situation is fixable - temporary blocking will help to solve the problem, limiting the number of password attempts.
Data Protection
Almost all large servers have the ability to establish secure connections using ssl / tls encryption, which eliminates the possibility of intercepting passwords and correspondence. Encryption is also easy to set up on your own server.
Some time ago, in ICQ it was also possible to enable secure data transfer, but after the purchase of this service by Mail.Ru Group holding this function stopped working. This is due to the fact that AOL did not sell the implementation of this feature.
Some client programs allow using a special plugin to additionally encrypt the transmitted information using GPG and OTR. At the same time, it is necessary that such a plugin be installed for both interlocutors.
Jabber as a communication tool in a corporate environment
When using Jabber in an enterprise environment, various services with unlimited external access (jabber conferences, transports, vcard search service - vjud) pose a potential threat.
Jabber-conferences, of course, a very convenient means of communication. However, quite often, administrators of corporate xmpp servers forget to block access to conferences on s2s (that is, to users of other servers) and important corporate information may appear in the public domain. Also, attackers can organize a flood attack of conferences on an insecure service, which subsequently can lead to a denial of service for the xmpp server as a whole.
Transports open to users of all servers can help attackers hide their real IP (for example, if a third-party user logs in to an IRC transport, he will log into IRC chats from the IP that has the enterprise jabber server). In the case of other vehicles (ICQ, MRA, etc.), third-party users can create an extra load, thereby reducing the fault tolerance of the service.
The greatest danger is open for public access search services for data from a business card (vjud). Very often the jabber server takes data for vcard from internal sources (when using LDAP, for example) and as a result, vcard may contain closed information about the employee (personal and business e-mails, phone numbers, department name and even home address). Attackers can organize an automated search through vjud for popular names and surnames, thereby obtaining data intended for official use).
Administrators of corporate jabber-servers need to closely monitor the launched modules and disable or block access to unused services.
Administrators of both corporate and private servers need to be more attentive to the policy of registering new users. In the case of a corporate server, open registration must be prohibited altogether, since the employee’s account must be set up by the administrator at the time he is accepted for work along with other internal accounts. In the case of a private server, it is advisable to either limit the registration of new accounts (for example, using captcha), or disable this feature.
Summary
Despite the growing popularity of the Jabber protocol, threats are still non-profit. However, in the near future it is possible to activate commercial spam messages, as well as messages containing malicious links. However, due to its extensibility, the protocol allows it to effectively counter such threats and minimize the likelihood of end-users getting inappropriate content.
Jabber as a corporate communications tool is fairly safe and reliable, but server administrators should carefully monitor the level of access to services.