Slashdot Mirror
Good Open Source, Multi-Platform, Secure IM Client?
Phil O. writes "I work for a company with 30+ locations across North America. Some offices have hundreds of employees; some only a dozen. We're looking for a secure, multi-platform IM client we could implement across the organization. One group is pushing for Microsoft's solution, but it has a number of drawbacks (including cost). What other options are out there, and what has worked well in similar situations? Security is a big concern for the company."
Jabber server, pidgin clients, and http://pidgin-encrypt.sourceforge.net/ for security. Really it's a shame this even made it to slashdot. Can't anyone google anymore?
http://www.pidgin.im/
http://en.wikipedia.org/wiki/Pidgin
http://www.cypherpunks.ca/otr/
I'm betting www.jabber.org will be echoed over and over in the responses. Considering Google uses it to power Gtalk I say its scalable.
Microsofts solution is NOT multiplatform. Anything that runs jabber protocol has a multiplatform client.
We use the Openfire server (www.igniterealtime.org) with the Spark client over several offices in different states and over 3 different platforms. SSL is available as well (which we use).
So far no problems beyond user error. I'd recommend it.
I would go about your problem by first separating the client from the actual protocol. If you are worried about cross platform I would of course go with an XMPP solution. You can do the following:
- Run an OpenFire server Here
- Pick from a slew of XMPP clients but I would problem pick the Spark IM Client (Same people as the OpenFire software)
This way you don't have to worry about Client A working with Protocol B across Windows/Linux/Mac.
Using XMPP is also an easy way to control your IM facilities as you can create an organizational system for creating names such as using email addresses as screen names and not have to worry about Bob from Accounting using PiMpMaSta23.
I would evaluate OpenFire and the Spark IM client and see if it fits. The server is very easy to set up and administer. You can also use Pidgin or Psi as XMPP clients although I think Spark is the most professional looking of the three.
Turn based strategy game that runs over XMPP. Phalanx
Everybody is saying "Pidgin", but a client won't do you any good without a server to connect to, and if you really care about being secure, you shouldn't trust any third-party server that is publicly accessible.
You should probably set up your own Jabber server; I recommend Openfire, which is open source, easy to install, and pretty powerful. It is possible to mandate that all clients must use encryption to connect, which will do a pretty good job of keeping things secure, and you can use any XMPP client that supports encryption. If you don't want even the server to be able to read your messages, as others have suggested, installing an OTR plugin for your client is the way to go.
Karma: Terrifying (mostly affected by atrocities you've committed)
Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services. It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.
Why not IRC?
Give me Classic Slashdot or give me death!
Skype? Since when is Skype secure man?! Have you read Slashdot?
SupraBrowser
It's a secure, threaded IM client (all socket communication 3DES encrypted with a zero-knowledge proof SRPP), written in Java, that runs on Linux, Mac, and Windows. It was developed for the hedge fund industry in Boston. I developed it initially, but it's mainly being maintained, not developed further because we don't receive any new feature requests.
Don't let the extensive features fool you. It's primarily a secure, threaded IM system. The other features were added (email gateway, auto-forwarding to email, embedded web browser with sophisticated tagging engine) based on its being used *very* heavily every day and requests coming from highly advanced users of the system.
There is also a Firefox plugin that integrates with it, as well as a pure ajax client written in the Eclipse Rich Ajax Platform.
Feel free to contact me personally for any details or help setting it up. The release on sourceforge assumes fairly good technical abilities (building it from ant, getting xulrunner to work with javaxpcom) and is not a general packaged release. However, it is running many places in production.
suprasphere@gmail.com
David Thomson
You can setup the thing completely in-house (you don't have to trust a contractor), or you can opt for a canned solution (for example Jabber, Inc., http://www.jabber.com/, they do provide everything for big and small companies, and are backed by Cisco). It uses SSL/TLS for secure connections both between clients and servers (C2S) and between separate servers (S2S), with full support for certificate authenticity checking, and even PGP/GPG encryption between the users, should they need to exchange really confifental data that even a rogue company server admin shouldn't be able to intercept (message encryption, pretty rare among proprietary protocols, but happens), or be sure that joe.the.boss@company.com is really Joe, their Boss, and not someone who just happend to "borrow" their laptop at the airport (signed presence, something, AFAIK, no other protocol provides). There are XMPP servers and clients for almost every platform possible, open-source or commercial, the protocol is open and approved by IETF for IM-style communication.
I won't give you any specific names, but I believe it wouldn't be very difficult to find a few *very* big companies using XMPP to prove to your boss that it's being used like this by big players in the industry.
And, frankly, that's the only open solution to your problem.
This is Slashdot. Common sense is futile. You will be modded down.
Read? Who reads anything on here? I only post.
My blog
It can replace your Exchange server for email, has an XMLPP IM server built-in, and is much more cost effective and easier to administer than Exchange.
We use sametime at my office and it's just like any other IM client I've used. Two points of note - it offers encrypted chats, and the collaboration tools (screensharing, etc.) work better than Microsoft's Messenger products. I don't doubt, however, that OSS can compete with this - I'd only go ST if you're already using Lotus Notes.
We use sametime at my company, and it's piece of shit. When it works, it works. Often when someone types something in a chat and I click the minimized sametime window to reply, try to write something in the message box, and sametime freezes. Lots of hdd access of no apparent reason. We experience the same on all our machines (2GB RAM). Don't get me started on Notes 8...
talk requires a terminal that can handle curses (vt100 or similar). This creates a barrier that's simply too cumbersome. I would suggest using write instead.
If encryption is needed, I would suggest rot13. For double encryption, rot26 can be used. Or, you could do what they did in WWII and "encrypt" by using an obscure language that few outsiders are likely to be able to decode. Since getting your coworkers to learn Navajo is probably out of reach, I suggest Pig Latin.
Really, I think the submitter is making this harder than it needs to be.
next time try to read more than just the title
But my "Slashdot User's Handbook" says I'm not supposed to!
Anyway, I was wondering if there was any papers or anything to follow up that post. Something that would move it from speculation to truth. There's some papers in the comments linking to notes about obfuscating against reverse engineering. The last sentence just said the Austrians claim they can easily listen into the conversations.
I have been a fan of the Spark Client and Openfire Server as an IM platform for quite sometime. They are built on the XMPP and Jabber protocols. After being in a corporate environment before, I know it's hard to convince management to go with an OSS solution as they seem to think that if it doesn't have a price tag, it's not secure. The Spark/Openfire platform come in an 'Enterprise' flavor with support to appease management as well. Both the client and server are built on a plug-in style architecture, so it's pretty easy to include your own software add-ins. There are really too many features for me to really go into though.
Plus, pidgin is portable.
http://portableapps.com/apps/internet/pidgin_portable
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
Kerberos will authenticate without storing or sending passwords. It works for email, remote login (ssh, telnet, rlogin), file service (AFS, ftp) and web as well. Pidgin supports Kerberos, though you wouldn't know it to look at the documentation; it took me a while to realize I needed to load the Debian package libsasl2-modules-gssapi-mit.
Liam Healy
no way, http://www.igniterealtime.org/.
Openfire is amazing and with thier Sparks client it gets even better.
Includes SSL, open API, different database backend, including LDAP. I've been running it for my office on a linux box connecting to a windows AD authentication. Best part about it is you can manage everyones contact lists. So no more invite this person add this person.
Openfire (formerly Wildfire) is a real time collaboration (RTC) server dual-licensed under the Open Source GPL and commercially. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance
BTW i'm not affiliated with them, i just have used thier projects for years. Go opensource!
I work for IBM. Sametime works okay, but there are tons of problems with it. Just one, for instance, is that you can "smilie bomb" someone with their default java client. Basically you just up the java max heap size, and then send them 256M of smilies so it fills up their heap and crashes java. Fun stuff. I use Pidgin to connect to sametime using the meanwhile plugin myself.
Are you kidding? The Spark client is the biggest piece of shit I've ever used. Random freezing (the UI will just freeze for up to a minute on my work PC), stops remembering what group you put buddies into... it blows ass.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
But my "Slashdot User's Handbook" says I'm not supposed to!
Ha! Nobody's read the handbook!
This comment is fully compliant with RFC 527.
Although Sametime itself isn't open source, the newer versions are based on Eclipse (as are the more recent versions of Notes). Whether or not the overhead of running an instance of Eclipse to handle IM is a good idea or not is up to you.
You might want to check their homepage and the Wikipedia article.
OTR works very well for me. I recommend Pidgin as a client and Jabber as a protocol.
I use CenterIM, formerly called CenterICQ.
It's ncurses based, so it runs in any real computation environment. It supports Yahoo, ICQ, AIM, MSN, Jabber, IRC, Google Talk, Live Journal, RSS feeds and more!
It's a wonderful client, tiny footprint, and it runs where programs belong, on the command line!
I am the penguin that codes in the night.
Holy crap! You're a genius!
Tomorrow I'm going to go to the office and disguise the server rack as a refrigerator. Then my data will truly be safe, because even if a hacker does get in, he'll never believe there's any valuable data in a cheese sandwich.
I hate printers.