Slashdot Mirror
Good Open Source, Multi-Platform, Secure IM Client?
Phil O. writes "I work for a company with 30+ locations across North America. Some offices have hundreds of employees; some only a dozen. We're looking for a secure, multi-platform IM client we could implement across the organization. One group is pushing for Microsoft's solution, but it has a number of drawbacks (including cost). What other options are out there, and what has worked well in similar situations? Security is a big concern for the company."
IBM's Lotus Sametime is very good I think. No idea how much it costs though, probably not cheap and it isn't open source.
Jabber server, pidgin clients, and http://pidgin-encrypt.sourceforge.net/ for security. Really it's a shame this even made it to slashdot. Can't anyone google anymore?
talk
http://www.pidgin.im/
http://en.wikipedia.org/wiki/Pidgin
http://www.cypherpunks.ca/otr/
I'm betting www.jabber.org will be echoed over and over in the responses. Considering Google uses it to power Gtalk I say its scalable.
Microsofts solution is NOT multiplatform. Anything that runs jabber protocol has a multiplatform client.
So how about Pidgin with the OTR plugin? afaik you can't get more secure than OTR with IM, and it's available for a few different clients.
You could try recommending Pidgin with the Off The Record plugin. I can't say I've personally gone through the code and verified all of its claims, but the plugin looks promising, and it's easy to install.
We use the Openfire server (www.igniterealtime.org) with the Spark client over several offices in different states and over 3 different platforms. SSL is available as well (which we use).
So far no problems beyond user error. I'd recommend it.
Use Pidgin with OTR. It is a good balance of security and convenience, you just need to be careful about not having your hardware stolen (OTR keys are not symmetrically encrypted the way PGP keys are). You might be able to resolve that by also using whole disk encryption...
Palm trees and 8
I've never actually implemented Jabber before, but it seems like the obvious answer. You should be able to set up your own server without paying any software costs, and use GAIM/Adium. I think encryption is supported, but it's slightly less of a concern if the traffic never leaves your own network.
Actually, depending on your requirements, you may not want clients to encrypt traffic, so that you can log and archive it.
I would go about your problem by first separating the client from the actual protocol. If you are worried about cross platform I would of course go with an XMPP solution. You can do the following:
- Run an OpenFire server Here
- Pick from a slew of XMPP clients but I would problem pick the Spark IM Client (Same people as the OpenFire software)
This way you don't have to worry about Client A working with Protocol B across Windows/Linux/Mac.
Using XMPP is also an easy way to control your IM facilities as you can create an organizational system for creating names such as using email addresses as screen names and not have to worry about Bob from Accounting using PiMpMaSta23.
I would evaluate OpenFire and the Spark IM client and see if it fits. The server is very easy to set up and administer. You can also use Pidgin or Psi as XMPP clients although I think Spark is the most professional looking of the three.
Turn based strategy game that runs over XMPP. Phalanx
Everybody is saying "Pidgin", but a client won't do you any good without a server to connect to, and if you really care about being secure, you shouldn't trust any third-party server that is publicly accessible.
You should probably set up your own Jabber server; I recommend Openfire, which is open source, easy to install, and pretty powerful. It is possible to mandate that all clients must use encryption to connect, which will do a pretty good job of keeping things secure, and you can use any XMPP client that supports encryption. If you don't want even the server to be able to read your messages, as others have suggested, installing an OTR plugin for your client is the way to go.
Karma: Terrifying (mostly affected by atrocities you've committed)
Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services. It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.
Why not IRC?
Give me Classic Slashdot or give me death!
What about looking at Sametime ? Multiplatform, secure, Java based and supports voip, webconferencing, sharing of apps and a whole bunch of other plugins. www.ibm.com/sametime.
Skype? Since when is Skype secure man?! Have you read Slashdot?
I have used this combination at two jobs now, it supports multiple offices and also has LDAP integration if you wanted to hook it up with Active Directory. There are also a handy assortment of plugins available.
Finch is great because it's command line. It supports almost all IM clients even IRC.
Novell GroupWise Instant Messenger is secure by default. It has its own client or you can use Pidgin. The server is not hard to set up and get running either. (Disclaimer, I work for Novell.)
SupraBrowser
It's a secure, threaded IM client (all socket communication 3DES encrypted with a zero-knowledge proof SRPP), written in Java, that runs on Linux, Mac, and Windows. It was developed for the hedge fund industry in Boston. I developed it initially, but it's mainly being maintained, not developed further because we don't receive any new feature requests.
Don't let the extensive features fool you. It's primarily a secure, threaded IM system. The other features were added (email gateway, auto-forwarding to email, embedded web browser with sophisticated tagging engine) based on its being used *very* heavily every day and requests coming from highly advanced users of the system.
There is also a Firefox plugin that integrates with it, as well as a pure ajax client written in the Eclipse Rich Ajax Platform.
Feel free to contact me personally for any details or help setting it up. The release on sourceforge assumes fairly good technical abilities (building it from ant, getting xulrunner to work with javaxpcom) and is not a general packaged release. However, it is running many places in production.
suprasphere@gmail.com
David Thomson
Why does it have to be opensource? Do you intend to develop code/patches for it?
BeauHD. Worst editor since kdawson.
You can setup the thing completely in-house (you don't have to trust a contractor), or you can opt for a canned solution (for example Jabber, Inc., http://www.jabber.com/, they do provide everything for big and small companies, and are backed by Cisco). It uses SSL/TLS for secure connections both between clients and servers (C2S) and between separate servers (S2S), with full support for certificate authenticity checking, and even PGP/GPG encryption between the users, should they need to exchange really confifental data that even a rogue company server admin shouldn't be able to intercept (message encryption, pretty rare among proprietary protocols, but happens), or be sure that joe.the.boss@company.com is really Joe, their Boss, and not someone who just happend to "borrow" their laptop at the airport (signed presence, something, AFAIK, no other protocol provides). There are XMPP servers and clients for almost every platform possible, open-source or commercial, the protocol is open and approved by IETF for IM-style communication.
I won't give you any specific names, but I believe it wouldn't be very difficult to find a few *very* big companies using XMPP to prove to your boss that it's being used like this by big players in the industry.
And, frankly, that's the only open solution to your problem.
This is Slashdot. Common sense is futile. You will be modded down.
Read? Who reads anything on here? I only post.
My blog
It can replace your Exchange server for email, has an XMLPP IM server built-in, and is much more cost effective and easier to administer than Exchange.
When I was considering IM solutions for my company, I was looking into SILC, as that lets me run my own servers in addition to keeping traffic encrypted. I know that wasn't part of your original question. But it may be something you want to look into. Pidgin apparently has SILC client support built-in as well.
Dont know much about it, but it appears to support encryption straight from the transport level with no kludges like OTR.
Looks open source too.
Psi and a Jabber server of your choosing would do.
Psi is fully multi platform, supports various encryption options. It isn't any harder to setup and install than any other corporate instant messaging system.
Additionally, there is no cost involved.
Change is certain; progress is not obligatory.
"More Skype Back Door Speculation ."
Not saying Skype is secure or anything, but do you have any hard evidence, or facts?
Nobody on slashdot would typically suggest Novell for anything. Patent issues, selling their soul to MS, working with mono, You should know better.
Pidgin + OTR + Jabber server if needed = good solution, open source, no software costs of any kind (only hardware).
I would recommend the open source OpenFire server. Install it on your own server, then set the preferences to force SSL connections. Then communicates passed between clients on any platform are SSL encrypted. Turn off local client logging for better security. Beyond that, it's all client-side stuff that doesn't port as well.
Nicodemus
Last sentence of my link, next time try to read more than just the title.
"More Skype security Speculation."
Do you have any evidence that the Skype protocol is secure?
Note, Obscure != Secure.
I would really not want to use Skype for anything more than personal use, especially not company use. It might be a good program (matter of opinion) and it might have decent voip but then again the guy asking could have easily went with using AIM, Yahoo, or GTalk. It sounds like he wants to use something more suited to IM and for a company you should really want to have control over accounts, usernames, and compliance and I don't think Skype is good enough for that.
As for the security issue. I am sure it is decently secure but if this organization as others rely on encryption for sending sensitive messages across the wire (I would really discourage people sending sensitive business information over IM) a third party solution isn't really the way to go. I would say run something in house (or co-located) and get a certificate.
Turn based strategy game that runs over XMPP. Phalanx
next time try to read more than just the title
But my "Slashdot User's Handbook" says I'm not supposed to!
Anyway, I was wondering if there was any papers or anything to follow up that post. Something that would move it from speculation to truth. There's some papers in the comments linking to notes about obfuscating against reverse engineering. The last sentence just said the Austrians claim they can easily listen into the conversations.
I have been a fan of the Spark Client and Openfire Server as an IM platform for quite sometime. They are built on the XMPP and Jabber protocols. After being in a corporate environment before, I know it's hard to convince management to go with an OSS solution as they seem to think that if it doesn't have a price tag, it's not secure. The Spark/Openfire platform come in an 'Enterprise' flavor with support to appease management as well. Both the client and server are built on a plug-in style architecture, so it's pretty easy to include your own software add-ins. There are really too many features for me to really go into though.
Gale -- http://www.gale.org/
It's secure, easy to set up (including both client and server), and there are multiple clients for it, including both command-line and GUIs, and for both Linux and Windows.
All messages are cryptographically signed (unless the user chooses to send anonymously), and messages can be either plain-text or encrypted, depending on who they're being sent to.
Pidgin's a great client for personal use. I use it and like it a lot.
Sure, they can set up a Jabber server of their own, then connect to it with Pidgin and use one of the encryption plugins for security but I doubt an organization that is concerned about secure IM is going to be interested in a solution with so much possibility for the users to start adding their own personal, outside, public IM accounts.
I would say Jabber server with any jabber only client which supports encryption and can have it's config locked down. Of course, they can block access to outside Jabber servers with a firewall but why not stop them from trying in the first place too.
Multi-platform =and= multi-protocol.
I suppose it's a question of "How secure does it need to be?" If it's launch codes, then I would be uncomfortable with any IM type exchanges, send a messenger in a tank for that. If the company we're talking about is "Del Taco corporate offices" then Skype is probably "secure" enough that Taco Bell wouldn't bother.
I'd be curious as to the general consensus as to what the chances that if say Pfizer were to be communicating trade secrets via skype or messenger, that those messages would be stolen by another pharmecutical or other entity? Or is "secure" more for preventing computer systems from being compromised by hackers or viruses rather than competition? It's all good to say that the australian government can listen in on your skype conversations, but aside from your rights being eroded, what are some of the more tangible risks?
That's true. I have tried to Google, but that is not really yielding satisfying results. I have come across several sites mentioning backdoors in the protocol or the program exploitable by government or someone else. Those are just rumours. However, via the Skype wiki I found a website detailing the leaking of a German report to the German 'Piraten Partei'. I have read it and it seems to be a quote of sorts for "Skype-Capture-Software" and several options, including SSL decoding and the installation of it all. It also mentions two proxy-servers to hide their own IP adresses, but there is no price given. So all in all, this -- as far as I could find -- is the most concrete evidence supporting that Skype is in fact not secure.
Plus, pidgin is portable.
http://portableapps.com/apps/internet/pidgin_portable
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
I run half a dozen jabberd servers (and one jabberd2) and use PSI on windows machines for clients. I also generate the user rosters myself with some nifty scripts so that users always see everyone else in the companies.
Not speculation
In this case, for once, I have to say just use a commercial solution. Maintaining your own servers is expensive, and supporting it is a headache your IT people don't need. Just go with Skype if you want video and free phone service as well, that is very multi-platform. It's not open source, I admit, but it works well.
C'mon now, I can't believe no one has bothered to mention an SIP server.
Absolutely, positively the way to go because there's multimedia capabilities in there ready to go.
http://www.opensips.org/
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
But my "Slashdot User's Handbook" says I'm not supposed to!
Ha! Nobody's read the handbook!
This comment is fully compliant with RFC 527.
At our office, we were using IRC for many years. We recently rolled out a jabber/xmpp server, Openfire, and associated clients for the users' platforms. It's secure, and full-featured.
Anything that is Jabber/XMPP based will support a wide range of clients and has the ability to use SSL. You not only can encrypt SSL traffic, but a good server will allow you to require clients that connect to have a known and valid certificate. And the server must have a certificate that is known to the client. It's only as secure as your process of distributing the certificates.
For a client there are many. Coccinella has a nice whiteboard features that I have found useful in the corporate world. But Pidgin, Miranda and others are fine too. (I also use centerim in a screen session of all things)
“Common sense is not so common.” — Voltaire
Are you serious?? Openfire for the XMPP (aka Jabber) server, and Pidgin for the client. If setup correctly, you can force SSL/TLS encryption. I've implemented this at my company and it's rock solid. Beats the hell out of any proprietary solution you'll find, if IM is your main goal. I'd recommend setting up XMPP service DNS records for your domain for a really slick implementation.
Actually, depending on your requirements, you may not want clients to encrypt traffic, so that you can log and archive it.
Exactly my thoughts.
I'd recommend IRC. Set up one IRC server per location and tunnel inter-office connections over ssh or ssl [have a look at stunnel]. Whether to encrypt intraoffice communication depends on local requirements, but again there's stunnel.
If employees don't trust each other or the sysadmins, your organization probably either has serious problems, or it's the DOD.
If one client can do that, then the server seems to have an issue. But Miranda should not be there because it is not cross platform as was requested.
Use a Jabber server, there are many out there, and it also offers the benefit that you can split the service up into subdomains, ie your larger sites have their own local jabber server but can communicate with the others, so you have for instance:
user@newyork.yourcompany.com
user@london.yourcompany.com
You can also open it up to the outside if you want, and you can also make people's jabber id's match their email addresses...
For clients, being an open standard you have a huge choice of clients, pidgin is good and cross platform for instance, try a selection and see which one suits you best. Same for the server, try a few and see which works, if you have multiple servers there's no reason for them all to run the same software, and similarly you don't need everyone running the same client.
And of course, being an open standard you are free to change clients and servers whenever it suits you with minimal disruption, and supporting new devices will give you the widest choice - there are jabber clients for every significant OS and most mobile or embedded devices.
Incidentally, i doubt microsoft's offering satisfies your "cross platform" stipulation.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Why would you want to pay for IM when there are so many good IM clients and servers you can use for free? It's like paying for a web browser, just doesn't make any sense.
I think he means 'Yahoo' it
Scary story: I was listening to the radio and there was an ad for yahoo homepage, and they claimed that you should use their service because they have "search as you type". Apparently they didn't realize google has this too?
I like the Openfire server with Spark client myself.
Although Sametime itself isn't open source, the newer versions are based on Eclipse (as are the more recent versions of Notes). Whether or not the overhead of running an instance of Eclipse to handle IM is a good idea or not is up to you.
I'm willing to take the -1, Flamebait on this:
Did you even -think- about trying, oh, say, a web search on this?
Google is pretty good, I suggest you try it.
What a pointless Ask Slashdot.
If firefighters fight fire, and crimefighters fight crime, what do freedom fighters fight? - George Carlin
there is gale which is secure, protocol based, distributed, and quite nice all around.
http://notanumber.net/
Asterisk will do it if you're using SIP...
It can also compress the voice chat session using GSM compression or similar to save space.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You might want to check their homepage and the Wikipedia article.
OTR works very well for me. I recommend Pidgin as a client and Jabber as a protocol.
Does this mean we can finally stop arguing about whether or not Mac OS X's marketshare helps it remain "secure"? I kid...
While Skype is a cross platform IM tool, the one shortcoming I find with it is the Linux client does not support Video.
Is there a solution for cross platform video conferencing?
being vague is almost as cool as doing that other thing...
The goal is for people to have a standard way to communicate, not to pick a standard tool. Standardize on a multiplatform protocol (MSN, Yahoo, whatever) then pick a "best of breed client" for each platform (windoze, mac, linux, etc.)
Do not force people on different platforms to use the same application. You'll be fitting them to a Procrustean bed.
-- "At Microsoft, quality is job 1.1" -- PC Magazine, Nov. 1994
I use CenterIM, formerly called CenterICQ.
It's ncurses based, so it runs in any real computation environment. It supports Yahoo, ICQ, AIM, MSN, Jabber, IRC, Google Talk, Live Journal, RSS feeds and more!
It's a wonderful client, tiny footprint, and it runs where programs belong, on the command line!
I am the penguin that codes in the night.
No software should have that problem. If it can't handle it, it should reject/drop the message, not crash (preferably with a substitute message saying message was dropped because sender.
Not confirming the Sametime behavior described, just speaking from experience of many many instances of developers feeding me BS about how they shouldn't have to tolerate some condition or another as it is artificial and stupid, not acknowledging a DoS as a serious problem.
XML is like violence. If it doesn't solve the problem, use more.
There is no version of Pidgin for OS X, you may install it (using Fink) but it is unsupported.
There is however a port called adium
http://retroshare.sourceforge.net/
is the only true crossplattform serverless secure IM-client out there.
We're talking about secure IM solutions for an organisation here. That pretty much rules out everything that doesn't involve running your own private IM server. In other words, you're left with Jabber, and Microsoft's exchange-based balls-up solution. My vote's for jabber.
Holy crap! You're a genius!
Tomorrow I'm going to go to the office and disguise the server rack as a refrigerator. Then my data will truly be safe, because even if a hacker does get in, he'll never believe there's any valuable data in a cheese sandwich.
I hate printers.
http://sip-communicator.org/. This client works extremely well and is sip-based.
At the risk of being modded redundant, I would like to throw in my vote for Pidgin on Linux and Windows, with the OTR plugin for rock-solid encryption. Adium is the equivalent on Mac OS X, as it is based on the same libpurple codebase and also does OTR. Set up the jabber server of your choice behind your firewall, require VPN access, and you're set. Works for me and my org...Mac, Windows or Linux.
:q!
Back in the early 90s a bunch of friends started a MUD. After MMOs basically destroyed the text gaming world, nowadays we use it for a glorified chat room, IM system. Oh and we occasionally play a few games of cards or such. The latest MUD drivers support SSH. You could pitch it to management as a 'less graphically intensive, secure, and private second life experience'
We have a pretty small installation, 200 corporate users on Zimbra, nearly all addicted to and using Outlook.
We haven't had many problems, most of the problems we've had are with sharing calendars and contacts. It works fine, but not when the share is initiated through Outlook, the initial share needs to be done from the Zimbra web UI.
Aside from that, users seem pretty happy with Zimbra, most don't even know it's not exchange.
We're not running the free version of Zimbra for the very reason you suggested, it doesn't support the Outlook connector. The Outlook connector is key in a shop full of MS users, it gives them full email + calendar + contacts integration with.
Put identity in the browser.
For real.
Mod parent motherfscking hilarious!
IIRC, the biggest problem about skype in this case is that its license explicitly forbids commercial use. At least w/ the free version.
Does having a witty signature really indicate normality?
RTFH?
tkabber is TCL/TK, so its cross plataform.. its also very complete and stable...
the only problem is that the gui is more simpler than others...
Higuita
What would be the draw for a serverless one?
You can chat over Tor, WASTE, Freenet and others. Although it does not have a centralized server, there are still servers. Each node in the network acts as a server. I'm not sure if that fits your definition of "serverless".
Jabber/XMPP is nice because anyone can run a server, and chat with people using a different server/network. It's like email in that sense, your ids in XMPP look just like email addresses too.
“Common sense is not so common.” — Voltaire
It just goes to show you that all it takes to break encryption is to produce an obscure PDF of a badly scanned document from another country filled with seemingly made up words of increasing length like Staatsanwaltschaft, Ermittlungsverfahrens, and Telekommunikationsüberwachungsmaßnahme.
No existe.
For all the end-to-end encryption in the world, Pidgin is not secure.
Since you can't interface it with LDAP or Active Directory policies, users will just end up using the "Save My Password" option when logging in, which writes the password to disk in plain text .
Bitwise is pretty decent: Windows, Linux, Mac; encrypted, whiteboard, voice, peer-to-peer, basic version free. http://www.bitwiseim.com/index.php/
If you use Jabber (XMPP) you don't care what the client is. You can use pidgin on Windows, Adium or ichat on Mac, etcetera.
Just stay the [deleted] away from Microsoft's stuff. Their only nonwndows support is a web applet.
It supports everything include Sametime.
Holy crap! You're a genius!
Tomorrow I'm going to go to the office and disguise the server rack as a refrigerator. Then my data will truly be safe, because even if a hacker does get in, he'll never believe there's any valuable data in a cheese sandwich.
Um, good one! But if you're replying to the parent comment as it appears, then you missed the joke.
Note, Obscure != Secure
What the commenter said here was "obscure does NOT equal secure."
[Obligatory]Then again, a beowulf cluster of servers disguised as fridges would be pretty sweet.[/Obligatory]
First I've heard of OTR. That strategy would helpful for some situations, but sounds like it might not be compliant with corporate legislation such as SOX. Anyone dealt with this question yet?
Kopete, which as of KDE 4 *should* compile for multiple platforms. It has a plugin architecture, so should support secure messaging as well.
How come nobody has mentioned Psi?
http://psi-im.org/
It's a multi-platform jabber client that looks a bit more polished then pidgin. Other than that I can't actually attest to how it compares, but a google search or two showed that it is pretty well liked.
"how can they call it a MINE if everything here is THEIRS?!?!" -Straight Jacket
I too have to put in a good word for Openfire. I've been using it in a small organization for a couple of years now and I have an instance running for my personal domain, it hasn't ever given me any problems. Took me a little bit of effort (had to read a couple forum posts!) to get it talking to our specific ActiveDirectory setups but that was more due to my tweaking before RTFM. But now we have it setup so that everyone in the company authenticates via ActiveDirectory and has everyone else in the company in their group. Larger companies wouldn't want to do an autogroup for the entire company, but a small office or a group can easily be configured based on a given ldap query.
Really, Openfire is awesome and free, if you want/need support they'll be happy to sell it to you, and they provide some commercial products for larger companies that you might be interested in, we're too small to bother with their commercial offerings so I have no experience
Spark wasn't my cup of tea, but since its all XMPP, you can use whatever client you want, I use pidgin in Windows.
I too am not affiliated with Wildfire, but they make a very good product and have made it free (including clustering of servers) so they deserve a good reference at least.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
hmmm...building private beowulf cluster inside of some old fridge...
Genius; pure genius...
One that hath name thou can not otter
We use Waste on our PCs and Linux boxes. One group in our organization still uses VIA's version which has source code available if you look hard enough. Waste gives you chat, file-sharing and traffic leveling to defeat traffic analysis. It does require one fixed IP address.
If your corporate legal department tells you that the Sarbanes-Oxley rules require you to keep records of all your instant messages, then the Off-The-Record instant messaging system is not what you're looking for. But most people probably aren't subject to that kind of regulation.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You could pick your client first and then use its protocol, but it's much better to pick your protocol first and then pick one or more clients that support it. The two interesting open protocols out there are Jabber's XMPP, and SIMPLE, which is part of the SIP protocol family (mainly used for Voice over IP and also video.) Do you want to integrate your IM system with your voice system (since that's already maintaining a presence server)? SIMPLE may be a better choice. Not using an open VOIP platform? XMPP may give you more choice of clients.
One real benefit of the last Jabber system I used was that our corporate firewalls were set up in a way that could support IM sessions from either inside or outside the firewall, so I could stay connected to IM from home even if I wasn't using the corporate VPN. (Unfortunately, our current internal IM client is something the IT department homebrewed a few years before our merger, runs some homebrew protocol, and can't pass through the firewall - but it does give you lots of choices of automatically-converted-from-text-to-graphics emoticons! :-) ;-| :=( At least the stuff we sell to customers is something standard, I think Jabber.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Maybe, maybe not...
but Yahoo had it first. And they do it better.