Good Open Source, Multi-Platform, Secure IM Client?

Phil O. writes "I work for a company with 30+ locations across North America. Some offices have hundreds of employees; some only a dozen. We're looking for a secure, multi-platform IM client we could implement across the organization. One group is pushing for Microsoft's solution, but it has a number of drawbacks (including cost). What other options are out there, and what has worked well in similar situations? Security is a big concern for the company."

Sametime

IBM's Lotus Sametime is very good I think. No idea how much it costs though, probably not cheap and it isn't open source.

Re:Sametime

[enharmonix]

We use sametime at my office and it's just like any other IM client I've used. Two points of note - it offers encrypted chats, and the collaboration tools (screensharing, etc.) work better than Microsoft's Messenger products. I don't doubt, however, that OSS can compete with this - I'd only go ST if you're already using Lotus Notes.

Re:Sametime

[__aardcx5948]

We use sametime at my company, and it's piece of shit. When it works, it works. Often when someone types something in a chat and I click the minimized sametime window to reply, try to write something in the message box, and sametime freezes. Lots of hdd access of no apparent reason. We experience the same on all our machines (2GB RAM). Don't get me started on Notes 8...

Re:Sametime

[Exstatica]

no way, http://www.igniterealtime.org/.
Openfire is amazing and with thier Sparks client it gets even better.
Includes SSL, open API, different database backend, including LDAP. I've been running it for my office on a linux box connecting to a windows AD authentication. Best part about it is you can manage everyones contact lists. So no more invite this person add this person.
Openfire (formerly Wildfire) is a real time collaboration (RTC) server dual-licensed under the Open Source GPL and commercially. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance

BTW i'm not affiliated with them, i just have used thier projects for years. Go opensource!

Re:Sametime

I work for IBM. Sametime works okay, but there are tons of problems with it. Just one, for instance, is that you can "smilie bomb" someone with their default java client. Basically you just up the java max heap size, and then send them 256M of smilies so it fills up their heap and crashes java. Fun stuff. I use Pidgin to connect to sametime using the meanwhile plugin myself.

Re:Sametime

[bigstrat2003]

Are you kidding? The Spark client is the biggest piece of shit I've ever used. Random freezing (the UI will just freeze for up to a minute on my work PC), stops remembering what group you put buddies into... it blows ass.

Re:Sametime

[Exstatica]

I used to have that issue to, But i updated my java recently and the issue has cleared up.

Re:Sametime

[a_nonamiss]

I administer two Openfire servers at different locations in my company. One runs on a Windows server, the other on a Linux server. One has a mysql backend, the other runs on MS SQL. Both integrate seamlessly with Active Directory, and provide SSL encrypted communications between each other and the clients. Honestly, despite the vastly differing setups between the two sites, it's amazing how easy it was to get them to work with each other. I have to admit that Spark needs quite a bit of work, but there are a million good XMPP clients out there, and all work fine with Openfire. I think this is one of the best open-source projects I've ever come across, and should be a pretty simple one word answer to the post question.

Re:Sametime

[Maniacal]

We run Openfire as well. Spark is multiplatform (Windows, Linux and Mac) but, as you can read from the other comments, it's not so great. Why an IM client needs 80MB of memory baffles me. I'm sure it's because it's Java but who knows. I've only run it on windows so I can't speak for the other platforms. The openfire server on the other hand is first rate. Not only is it secure, free and integrates with AD but it's Jabber so you can use a number of different clients. I have folks running Psi, Pidgen and Miranda and they all say it works well. MG

Re:Sametime

[darkpixel2k]

We run Openfire as well. Spark is multiplatform (Windows, Linux and Mac) but, as you can read from the other comments, it's not so great.

I used something similar. A linux box running ejabberd with a script that runs every night to sync accounts with AD. I used the shared rosters to put people into groups (until they support rosters from AD groups). Then I used the spark client because it was the only one I found with an MSI package (the company is almost entirely Windows except for the jabber server), and then I deployed it through Group Policy.

Finally, I wrote a quick VB Script that runs on login and checks if a user has a .profile or whatever it is in the Spark directory. If not, it pre-populates the file with a username, server connection info, and some sane defaults. Then checks to make sure the spark client is in the Startup group. Finally Spark launches, tries to autologin and fails (because we can't pre-populate the users passwords, they are unknown). Then the user just has to enter their password and hit enter.

Not the most elegant solution, but once Pidgin has an MSI installer, and an easy way for admins to pre-configure it for massive installs, I'll stick with the Spark client. Of course users can use whatever client they want too.

Honestly, I've never used the Openfire server or whatever it's called--I looked at the word 'java' and said 'F*ck that. Not on a 500 MHz box.'

I only have around 250 users connected at any one time, but ejabberd handles it well with very little memory usage.

Anonymous Coward

Jabber server, pidgin clients, and http://pidgin-encrypt.sourceforge.net/ for security. Really it's a shame this even made it to slashdot. Can't anyone google anymore?

Re:Anonymous Coward

[Chris+Acheson]

OTR is more secure that pidgin-encryption, and works with other IM clients as well.

Re:Anonymous Coward

[2starr]

No kidding. I'm looking for a good open-source web browser. Anyone know of one?

Re:Anonymous Coward

[Fred+Ferrigno]

Anyone know a news site for nerds, something with stuff that matters?

Re:Anonymous Coward

[Kent+Recal]

Maybe try digg?

Pidgin + OTR

[314m678]

Pidgin + OTR pluggin

http://www.pidgin.im/

http://en.wikipedia.org/wiki/Pidgin

http://www.cypherpunks.ca/otr/

Re:Pidgin + OTR

[TheLink]

Pidgin for windows is pretty crappy though

It hangs quite often (more if you don't use the tab mode, and if you use tab mode, if some spammer spams you, you can't tell from the taskbar who sent you the message - it could look like someone else is sending you a message).

It often doesn't succeed in sending messages to people on MSN - 5 minutes after I send, it'll tell me it failed. 5 minutes!

You can't easily filter out "spim", even if you use stuff like bot sentry you still get bugged about it- which completely defeats the purpose.

The only reason why I'm currently using pidgin instead of "Windows Live Messenger" is the latter doesn't save chat logs if you shutdown/logout without "closing the program properly".

Would be happy to know if there's something more stable.

I tried trillian but the interface was terrible.

Lastly, maybe it's coincidence but my spim rates went up a lot soon after I tried pidgin and trillian.

Re:Pidgin + OTR

[JCSoRocks]

The MSN bug is the only one I've run into. Other than that I've always thought Pidgin was great. I've been forced to switch over to Windows Live Messenger and I really don't like it after using Pidgin. The Outlook integration doesn't make up for the clunkier UI and the inability to connect to other networks.

Re:Pidgin + OTR

[srussell]

Note that the OTR plugin is available for several IM clients, including KDE's Kopete, Miranda, mICQ, and several others.

I'm still waiting for it to show up for the Android chat client, but it is still early days...

--- SER

Re:Pidgin + OTR

[biz0r]

Pidgin unstable? This is news to me and I use pidgin to connect to AIM, MSN, and Google. And combined have over 150 contacts I converse with...sometimes a dozen at a time.

I have never had issues sending messages to people on MSN either...are you certain it isn't just the specific computer you are using it on?

Re:Pidgin + OTR

[Bert64]

Most likely the MSN bug in pidgin is due to having to reverse engineer the protocol every time it gets changed...

Re:Pidgin + OTR

[BenoitRen]

There's XUL MSN Messenger, developed by yours truly. It doesn't support display pictures (yet), but otherwise it's pretty solid. I always use it.

jabber

[muckdog]

I'm betting www.jabber.org will be echoed over and over in the responses. Considering Google uses it to power Gtalk I say its scalable.

Re:jabber

[rlp]

I agree - not too hard to set up your own jabber server with an SSL connection. If you REALLY want to be secure, you won't rely on someone elses server.

Re:jabber

[Macrat]

Here's a jabber server with ssl ready to go.

http://wikis.sun.com/display/CommSuite/Sun+Java+Communications+Suite+Information

Re:jabber

[Britz]

If the clients use end-to-end encryption and share the password through a secure different channel (e.g. encrypted email) does it really matter if the server is your own?

Multi-platform

[jkinney3]

Microsofts solution is NOT multiplatform. Anything that runs jabber protocol has a multiplatform client.

Re:Multi-platform

[Haeleth]

Microsofts solution is NOT multiplatform.

What do you mean? It runs on both kinds of computer, XP and Vista.

Pidgin?

[yakumo.unr]

So how about Pidgin with the OTR plugin? afaik you can't get more secure than OTR with IM, and it's available for a few different clients.

Re:Pidgin?

[Liam]

Kerberos will authenticate without storing or sending passwords. It works for email, remote login (ssh, telnet, rlogin), file service (AFS, ftp) and web as well. Pidgin supports Kerberos, though you wouldn't know it to look at the documentation; it took me a while to realize I needed to load the Debian package libsasl2-modules-gssapi-mit.

Openfire + Spark

[mackil]

We use the Openfire server (www.igniterealtime.org) with the Spark client over several offices in different states and over 3 different platforms. SSL is available as well (which we use).

So far no problems beyond user error. I'd recommend it.

Re:Openfire + Spark

[ErnieD]

I'll second that, we use Openfire within our IT department (spanning 3 locations plus accessible via VPN). Spark is the primary client we give to our people but they're also free to use any other Jabber client they want like Pidgin, Miranda, Exodus, etc. We have SSL enabled and message auditing & archiving turned on which is also important for businesses in certain markets. We have it authenticating off our Active Directory via LDAP lookup. There's also a Flash-based web client which simply is a SWF that can be dropped in any web server, but we don't use that at present.

Re:Openfire + Spark

[SuperQ]

I use openfire for my personal jabber server, it's been reliable, and keeps getting good updates.

I haven't used the spark client, and I haven't had good luck with the web client. That's probably the biggest thing I wish I could find was a good web client like gmail chat.

Jabber?

[nine-times]

I've never actually implemented Jabber before, but it seems like the obvious answer. You should be able to set up your own server without paying any software costs, and use GAIM/Adium. I think encryption is supported, but it's slightly less of a concern if the traffic never leaves your own network.

Actually, depending on your requirements, you may not want clients to encrypt traffic, so that you can log and archive it.

Re:Jabber?

[infinityxi]

Jabber is actually a pretty easy set up. You can grab a ejabberd or OpenFire and set your domain up around it. Encryption and retention is also pretty easy to set up. It seems to make the most sense if this is about in house communication on a company level as one can easily make JIDs mirror email addresses.

Any XMPP Client

[infinityxi]

I would go about your problem by first separating the client from the actual protocol. If you are worried about cross platform I would of course go with an XMPP solution. You can do the following:

- Run an OpenFire server Here
- Pick from a slew of XMPP clients but I would problem pick the Spark IM Client (Same people as the OpenFire software)

This way you don't have to worry about Client A working with Protocol B across Windows/Linux/Mac.

Using XMPP is also an easy way to control your IM facilities as you can create an organizational system for creating names such as using email addresses as screen names and not have to worry about Bob from Accounting using PiMpMaSta23.

I would evaluate OpenFire and the Spark IM client and see if it fits. The server is very easy to set up and administer. You can also use Pidgin or Psi as XMPP clients although I think Spark is the most professional looking of the three.

You'll need a server, too

[Yosho]

Everybody is saying "Pidgin", but a client won't do you any good without a server to connect to, and if you really care about being secure, you shouldn't trust any third-party server that is publicly accessible.

You should probably set up your own Jabber server; I recommend Openfire, which is open source, easy to install, and pretty powerful. It is possible to mandate that all clients must use encryption to connect, which will do a pretty good job of keeping things secure, and you can use any XMPP client that supports encryption. If you don't want even the server to be able to read your messages, as others have suggested, installing an OTR plugin for your client is the way to go.

Pidgin performs beautifully cross-platform

[Arrogant-Bastard]

Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services. It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.

Why IM?

[Hatta]

Why not IRC?

Re:Why IM?

[Khyber]

I have yet to see a reliable working UnrealIRCd server hack.

As long as they didn't use mIRC and kept their IRC network completely internal (kinda tough to do without some VPN connecting to the other 30+ locations plus password entry into channel (or an allow list) they shouldn't have too much of an issue.

And of course IRC does have SSL connection capability.

Re:skype

[Zsub]

Skype? Since when is Skype secure man?! Have you read Slashdot?

GroupWise IM

[Emrys01]

Novell GroupWise Instant Messenger is secure by default. It has its own client or you can use Pidgin. The server is not hard to set up and get running either. (Disclaimer, I work for Novell.)

Check out SupraBrowser

SupraBrowser

It's a secure, threaded IM client (all socket communication 3DES encrypted with a zero-knowledge proof SRPP), written in Java, that runs on Linux, Mac, and Windows. It was developed for the hedge fund industry in Boston. I developed it initially, but it's mainly being maintained, not developed further because we don't receive any new feature requests.

Don't let the extensive features fool you. It's primarily a secure, threaded IM system. The other features were added (email gateway, auto-forwarding to email, embedded web browser with sophisticated tagging engine) based on its being used *very* heavily every day and requests coming from highly advanced users of the system.

There is also a Firefox plugin that integrates with it, as well as a pure ajax client written in the Eclipse Rich Ajax Platform.

Feel free to contact me personally for any details or help setting it up. The release on sourceforge assumes fairly good technical abilities (building it from ant, getting xulrunner to work with javaxpcom) and is not a general packaged release. However, it is running many places in production.

suprasphere@gmail.com

David Thomson

XMPP with TLS and (optionally) GPG/PGP

[Enleth]

You can setup the thing completely in-house (you don't have to trust a contractor), or you can opt for a canned solution (for example Jabber, Inc., http://www.jabber.com/, they do provide everything for big and small companies, and are backed by Cisco). It uses SSL/TLS for secure connections both between clients and servers (C2S) and between separate servers (S2S), with full support for certificate authenticity checking, and even PGP/GPG encryption between the users, should they need to exchange really confifental data that even a rogue company server admin shouldn't be able to intercept (message encryption, pretty rare among proprietary protocols, but happens), or be sure that joe.the.boss@company.com is really Joe, their Boss, and not someone who just happend to "borrow" their laptop at the airport (signed presence, something, AFAIK, no other protocol provides). There are XMPP servers and clients for almost every platform possible, open-source or commercial, the protocol is open and approved by IETF for IM-style communication.

I won't give you any specific names, but I believe it wouldn't be very difficult to find a few *very* big companies using XMPP to prove to your boss that it's being used like this by big players in the industry.

And, frankly, that's the only open solution to your problem.

Re:skype

[morgan_greywolf]

Read? Who reads anything on here? I only post.

Zimbra

[sfbiker]

Check out Zimbra

It can replace your Exchange server for email, has an XMLPP IM server built-in, and is much more cost effective and easier to administer than Exchange.

OpenFire Jabber server

[Nicodemus]

I would recommend the open source OpenFire server. Install it on your own server, then set the preferences to force SSL connections. Then communicates passed between clients on any platform are SSL encrypted. Turn off local client logging for better security. Beyond that, it's all client-side stuff that doesn't port as well.

Nicodemus

Re:There is only one true IM client

[eln]

talk requires a terminal that can handle curses (vt100 or similar). This creates a barrier that's simply too cumbersome. I would suggest using write instead.

If encryption is needed, I would suggest rot13. For double encryption, rot26 can be used. Or, you could do what they did in WWII and "encrypt" by using an obscure language that few outsiders are likely to be able to decode. Since getting your coworkers to learn Navajo is probably out of reach, I suggest Pig Latin.

Really, I think the submitter is making this harder than it needs to be.

Re:skype

[GodWasAnAlien]

"More Skype security Speculation."

Do you have any evidence that the Skype protocol is secure?

Note, Obscure != Secure.

Re:Skype?

[infinityxi]

I would really not want to use Skype for anything more than personal use, especially not company use. It might be a good program (matter of opinion) and it might have decent voip but then again the guy asking could have easily went with using AIM, Yahoo, or GTalk. It sounds like he wants to use something more suited to IM and for a company you should really want to have control over accounts, usernames, and compliance and I don't think Skype is good enough for that.

As for the security issue. I am sure it is decently secure but if this organization as others rely on encryption for sending sensitive messages across the wire (I would really discourage people sending sensitive business information over IM) a third party solution isn't really the way to go. I would say run something in house (or co-located) and get a certificate.

Re:skype

[The+Moof]

next time try to read more than just the title

But my "Slashdot User's Handbook" says I'm not supposed to!

Anyway, I was wondering if there was any papers or anything to follow up that post. Something that would move it from speculation to truth. There's some papers in the comments linking to notes about obfuscating against reverse engineering. The last sentence just said the Austrians claim they can easily listen into the conversations.

Spark/Openfire?

[chiger_bite]

I have been a fan of the Spark Client and Openfire Server as an IM platform for quite sometime. They are built on the XMPP and Jabber protocols. After being in a corporate environment before, I know it's hard to convince management to go with an OSS solution as they seem to think that if it doesn't have a price tag, it's not secure. The Spark/Openfire platform come in an 'Enterprise' flavor with support to appease management as well. Both the client and server are built on a plug-in style architecture, so it's pretty easy to include your own software add-ins. There are really too many features for me to really go into though.

I don't think Pidgin

[morgauo]

Pidgin's a great client for personal use. I use it and like it a lot.

Sure, they can set up a Jabber server of their own, then connect to it with Pidgin and use one of the encryption plugins for security but I doubt an organization that is concerned about secure IM is going to be interested in a solution with so much possibility for the users to start adding their own personal, outside, public IM accounts.

I would say Jabber server with any jabber only client which supports encryption and can have it's config locked down. Of course, they can block access to outside Jabber servers with a firewall but why not stop them from trying in the first place too.

We use Pidgen

[FreeBSD+evangelist]

Multi-platform =and= multi-protocol.

Portable

[Forty+Two+Tenfold]

Plus, pidgin is portable.
http://portableapps.com/apps/internet/pidgin_portable

jabberd/jabberd2

[defsdoor]

I run half a dozen jabberd servers (and one jabberd2) and use PSI on windows machines for clients. I also generate the user rosters myself with some nifty scripts so that users always see everyone else in the companies.

!speculation

[tripmine]

Not speculation

Re:skype

[s4m7]

But my "Slashdot User's Handbook" says I'm not supposed to!

Ha! Nobody's read the handbook!

Sametime is slightly open source

[TimTucker]

Although Sametime itself isn't open source, the newer versions are based on Eclipse (as are the more recent versions of Notes). Whether or not the overhead of running an instance of Eclipse to handle IM is a good idea or not is up to you.

Re:How much more ?

[fxkr]

You might want to check their homepage and the Wikipedia article.

OTR works very well for me. I recommend Pidgin as a client and Jabber as a protocol.

CenterIM is the way

[pngwen]

I use CenterIM, formerly called CenterICQ.

It's ncurses based, so it runs in any real computation environment. It supports Yahoo, ICQ, AIM, MSN, Jabber, IRC, Google Talk, Live Journal, RSS feeds and more!

It's a wonderful client, tiny footprint, and it runs where programs belong, on the command line!

It shouldn't.

[Junta]

No software should have that problem. If it can't handle it, it should reject/drop the message, not crash (preferably with a substitute message saying message was dropped because sender.

Not confirming the Sametime behavior described, just speaking from experience of many many instances of developers feeding me BS about how they shouldn't have to tolerate some condition or another as it is artificial and stupid, not acknowledging a DoS as a serious problem.

Re:skype

[MrNaz]

Holy crap! You're a genius!

Tomorrow I'm going to go to the office and disguise the server rack as a refrigerator. Then my data will truly be safe, because even if a hacker does get in, he'll never believe there's any valuable data in a cheese sandwich.

Re:skype

[hoytak]

IIRC, the biggest problem about skype in this case is that its license explicitly forbids commercial use. At least w/ the free version.

Re:OTR

[SturdyErde]

First I've heard of OTR. That strategy would helpful for some situations, but sounds like it might not be compliant with corporate legislation such as SOX. Anyone dealt with this question yet?