Slashdot Mirror
Good Open Source, Multi-Platform, Secure IM Client?
Phil O. writes "I work for a company with 30+ locations across North America. Some offices have hundreds of employees; some only a dozen. We're looking for a secure, multi-platform IM client we could implement across the organization. One group is pushing for Microsoft's solution, but it has a number of drawbacks (including cost). What other options are out there, and what has worked well in similar situations? Security is a big concern for the company."
Jabber server, pidgin clients, and http://pidgin-encrypt.sourceforge.net/ for security. Really it's a shame this even made it to slashdot. Can't anyone google anymore?
http://www.pidgin.im/
http://en.wikipedia.org/wiki/Pidgin
http://www.cypherpunks.ca/otr/
I'm betting www.jabber.org will be echoed over and over in the responses. Considering Google uses it to power Gtalk I say its scalable.
So how about Pidgin with the OTR plugin? afaik you can't get more secure than OTR with IM, and it's available for a few different clients.
We use the Openfire server (www.igniterealtime.org) with the Spark client over several offices in different states and over 3 different platforms. SSL is available as well (which we use).
So far no problems beyond user error. I'd recommend it.
I would go about your problem by first separating the client from the actual protocol. If you are worried about cross platform I would of course go with an XMPP solution. You can do the following:
- Run an OpenFire server Here
- Pick from a slew of XMPP clients but I would problem pick the Spark IM Client (Same people as the OpenFire software)
This way you don't have to worry about Client A working with Protocol B across Windows/Linux/Mac.
Using XMPP is also an easy way to control your IM facilities as you can create an organizational system for creating names such as using email addresses as screen names and not have to worry about Bob from Accounting using PiMpMaSta23.
I would evaluate OpenFire and the Spark IM client and see if it fits. The server is very easy to set up and administer. You can also use Pidgin or Psi as XMPP clients although I think Spark is the most professional looking of the three.
Turn based strategy game that runs over XMPP. Phalanx
Everybody is saying "Pidgin", but a client won't do you any good without a server to connect to, and if you really care about being secure, you shouldn't trust any third-party server that is publicly accessible.
You should probably set up your own Jabber server; I recommend Openfire, which is open source, easy to install, and pretty powerful. It is possible to mandate that all clients must use encryption to connect, which will do a pretty good job of keeping things secure, and you can use any XMPP client that supports encryption. If you don't want even the server to be able to read your messages, as others have suggested, installing an OTR plugin for your client is the way to go.
Karma: Terrifying (mostly affected by atrocities you've committed)
Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services. It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.
Jabber is actually a pretty easy set up. You can grab a ejabberd or OpenFire and set your domain up around it. Encryption and retention is also pretty easy to set up. It seems to make the most sense if this is about in house communication on a company level as one can easily make JIDs mirror email addresses.
Turn based strategy game that runs over XMPP. Phalanx
Skype? Since when is Skype secure man?! Have you read Slashdot?
Novell GroupWise Instant Messenger is secure by default. It has its own client or you can use Pidgin. The server is not hard to set up and get running either. (Disclaimer, I work for Novell.)
You can setup the thing completely in-house (you don't have to trust a contractor), or you can opt for a canned solution (for example Jabber, Inc., http://www.jabber.com/, they do provide everything for big and small companies, and are backed by Cisco). It uses SSL/TLS for secure connections both between clients and servers (C2S) and between separate servers (S2S), with full support for certificate authenticity checking, and even PGP/GPG encryption between the users, should they need to exchange really confifental data that even a rogue company server admin shouldn't be able to intercept (message encryption, pretty rare among proprietary protocols, but happens), or be sure that joe.the.boss@company.com is really Joe, their Boss, and not someone who just happend to "borrow" their laptop at the airport (signed presence, something, AFAIK, no other protocol provides). There are XMPP servers and clients for almost every platform possible, open-source or commercial, the protocol is open and approved by IETF for IM-style communication.
I won't give you any specific names, but I believe it wouldn't be very difficult to find a few *very* big companies using XMPP to prove to your boss that it's being used like this by big players in the industry.
And, frankly, that's the only open solution to your problem.
This is Slashdot. Common sense is futile. You will be modded down.
We use sametime at my office and it's just like any other IM client I've used. Two points of note - it offers encrypted chats, and the collaboration tools (screensharing, etc.) work better than Microsoft's Messenger products. I don't doubt, however, that OSS can compete with this - I'd only go ST if you're already using Lotus Notes.
We use sametime at my company, and it's piece of shit. When it works, it works. Often when someone types something in a chat and I click the minimized sametime window to reply, try to write something in the message box, and sametime freezes. Lots of hdd access of no apparent reason. We experience the same on all our machines (2GB RAM). Don't get me started on Notes 8...
I would recommend the open source OpenFire server. Install it on your own server, then set the preferences to force SSL connections. Then communicates passed between clients on any platform are SSL encrypted. Turn off local client logging for better security. Beyond that, it's all client-side stuff that doesn't port as well.
Nicodemus
I have yet to see a reliable working UnrealIRCd server hack.
As long as they didn't use mIRC and kept their IRC network completely internal (kinda tough to do without some VPN connecting to the other 30+ locations plus password entry into channel (or an allow list) they shouldn't have too much of an issue.
And of course IRC does have SSL connection capability.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I have been a fan of the Spark Client and Openfire Server as an IM platform for quite sometime. They are built on the XMPP and Jabber protocols. After being in a corporate environment before, I know it's hard to convince management to go with an OSS solution as they seem to think that if it doesn't have a price tag, it's not secure. The Spark/Openfire platform come in an 'Enterprise' flavor with support to appease management as well. Both the client and server are built on a plug-in style architecture, so it's pretty easy to include your own software add-ins. There are really too many features for me to really go into though.
Gale -- http://www.gale.org/
It's secure, easy to set up (including both client and server), and there are multiple clients for it, including both command-line and GUIs, and for both Linux and Windows.
All messages are cryptographically signed (unless the user chooses to send anonymously), and messages can be either plain-text or encrypted, depending on who they're being sent to.
Pidgin's a great client for personal use. I use it and like it a lot.
Sure, they can set up a Jabber server of their own, then connect to it with Pidgin and use one of the encryption plugins for security but I doubt an organization that is concerned about secure IM is going to be interested in a solution with so much possibility for the users to start adding their own personal, outside, public IM accounts.
I would say Jabber server with any jabber only client which supports encryption and can have it's config locked down. Of course, they can block access to outside Jabber servers with a firewall but why not stop them from trying in the first place too.
Multi-platform =and= multi-protocol.
Plus, pidgin is portable.
http://portableapps.com/apps/internet/pidgin_portable
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
I run half a dozen jabberd servers (and one jabberd2) and use PSI on windows machines for clients. I also generate the user rosters myself with some nifty scripts so that users always see everyone else in the companies.
no way, http://www.igniterealtime.org/.
Openfire is amazing and with thier Sparks client it gets even better.
Includes SSL, open API, different database backend, including LDAP. I've been running it for my office on a linux box connecting to a windows AD authentication. Best part about it is you can manage everyones contact lists. So no more invite this person add this person.
Openfire (formerly Wildfire) is a real time collaboration (RTC) server dual-licensed under the Open Source GPL and commercially. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance
BTW i'm not affiliated with them, i just have used thier projects for years. Go opensource!
Not speculation
I work for IBM. Sametime works okay, but there are tons of problems with it. Just one, for instance, is that you can "smilie bomb" someone with their default java client. Basically you just up the java max heap size, and then send them 256M of smilies so it fills up their heap and crashes java. Fun stuff. I use Pidgin to connect to sametime using the meanwhile plugin myself.
Are you kidding? The Spark client is the biggest piece of shit I've ever used. Random freezing (the UI will just freeze for up to a minute on my work PC), stops remembering what group you put buddies into... it blows ass.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
I used to have that issue to, But i updated my java recently and the issue has cleared up.
Although Sametime itself isn't open source, the newer versions are based on Eclipse (as are the more recent versions of Notes). Whether or not the overhead of running an instance of Eclipse to handle IM is a good idea or not is up to you.
You might want to check their homepage and the Wikipedia article.
OTR works very well for me. I recommend Pidgin as a client and Jabber as a protocol.
No software should have that problem. If it can't handle it, it should reject/drop the message, not crash (preferably with a substitute message saying message was dropped because sender.
Not confirming the Sametime behavior described, just speaking from experience of many many instances of developers feeding me BS about how they shouldn't have to tolerate some condition or another as it is artificial and stupid, not acknowledging a DoS as a serious problem.
XML is like violence. If it doesn't solve the problem, use more.
There is no version of Pidgin for OS X, you may install it (using Fink) but it is unsupported.
There is however a port called adium
http://retroshare.sourceforge.net/
is the only true crossplattform serverless secure IM-client out there.
I administer two Openfire servers at different locations in my company. One runs on a Windows server, the other on a Linux server. One has a mysql backend, the other runs on MS SQL. Both integrate seamlessly with Active Directory, and provide SSL encrypted communications between each other and the clients. Honestly, despite the vastly differing setups between the two sites, it's amazing how easy it was to get them to work with each other. I have to admit that Spark needs quite a bit of work, but there are a million good XMPP clients out there, and all work fine with Openfire. I think this is one of the best open-source projects I've ever come across, and should be a pretty simple one word answer to the post question.
-Arthur
Cave ne ante ullas catapultas ambules
Does Meanwhile handle the encryption with Sametime and the Sametime variants like Notesbuddy? Last I tried it with Miranda, it choked. This leads to confusion for non-geeks.
IBM should just contribute to Meanwhile and release an official version of the library... it'd be so much less trouble. The Java Sametime client is the fattest piece of client software I had ever seen. Heavier than MS Office, heavier than Lotus Notes, heavier than the whole OS.
It *works*, but OMG.
The web conferencing works, but don't expect a group of customers to be able to connect at the last minute. It will take an hour-long workshop to lead them through installing the app and running a test meeting. Most will finish in 15 minutes, but a few will require tweaking, others will never be able to connect. It's an embarrassment. I wound up just using Webex. Many customer meetings, all flawless. The money saved in the hours of work to set up Sametime more than paid for the Webex fees.
It's fine to "eat your own dogfood" but when your customer sees your employees choking and gagging on it, your employees complain LOUDLY, and you still make your employees eat it in front of the customer, it's just NOT HELPING ANYONE.
All that said. It *does* work. It *does* work well for internal meetings where you're not doing one-time-demos with unconfigured remote customer machines. Internally, aside from the weight of the IM client, I can't think of anything with the same or better feature set.
We run Openfire as well. Spark is multiplatform (Windows, Linux and Mac) but, as you can read from the other comments, it's not so great. Why an IM client needs 80MB of memory baffles me. I'm sure it's because it's Java but who knows. I've only run it on windows so I can't speak for the other platforms. The openfire server on the other hand is first rate. Not only is it secure, free and integrates with AD but it's Jabber so you can use a number of different clients. I have folks running Psi, Pidgen and Miranda and they all say it works well. MG
MG
We run Openfire as well. Spark is multiplatform (Windows, Linux and Mac) but, as you can read from the other comments, it's not so great.
I used something similar. A linux box running ejabberd with a script that runs every night to sync accounts with AD. I used the shared rosters to put people into groups (until they support rosters from AD groups). Then I used the spark client because it was the only one I found with an MSI package (the company is almost entirely Windows except for the jabber server), and then I deployed it through Group Policy.
.profile or whatever it is in the Spark directory. If not, it pre-populates the file with a username, server connection info, and some sane defaults. Then checks to make sure the spark client is in the Startup group. Finally Spark launches, tries to autologin and fails (because we can't pre-populate the users passwords, they are unknown). Then the user just has to enter their password and hit enter.
Finally, I wrote a quick VB Script that runs on login and checks if a user has a
Not the most elegant solution, but once Pidgin has an MSI installer, and an easy way for admins to pre-configure it for massive installs, I'll stick with the Spark client. Of course users can use whatever client they want too.
Honestly, I've never used the Openfire server or whatever it's called--I looked at the word 'java' and said 'F*ck that. Not on a 500 MHz box.'
I only have around 250 users connected at any one time, but ejabberd handles it well with very little memory usage.
There's no place like