XMPP Operators Begin Requiring Encryption, Google Still Not Allowing TLS

Via El Reg comes news that major XMPP (formerly known as Jabber, likely the only widely used distributed instant messaging protocol other than IRC) operators have all begun requiring encryption for client-to-server and server-to-server connections. Quoting the Prosidy developers: "Last year Peter Saint-Andre laid out a plan for strengthening the security of the XMPP network. The manifesto, to date signed by over 70 XMPP service operators and software developers, offered a rallying point for those interested in ensuring the security of XMPP for its users. Today is the date that the manifesto gave for the final 'flip of the switch': as of today many XMPP services will begin refusing unencrypted connections. If you run an XMPP service, we encourage you to do the same. On the xmpp.org wiki you can find instructions for all the popular XMPP server software. While XMPP is an open distributed network, obviously no single entity can 'mandate' encryption for the whole network — but as a group we are moving in the right direction." There is a handy tool to test your server. A result worth noting is Google's: they still do not support TLS for server-to-server connections, and their sudden dropping of TLS s2s connections a few years ago is likely the primary reason operators switched off mandatory TLS for s2s (I know that's why I did it). Although Google Hangouts offers no federation, GTalk still does, but it appears that the XMPP network-at-large will now cease to federate with Google voluntarily.

Google is dropping XMPP and Talk/Chat anyway

[The+Cisco+Kid]

So their lack of support for TLS with it is sort of a moot point.

http://tech.slashdot.org/story...

Re:Google is dropping XMPP and Talk/Chat anyway

[nine-times]

You know, I can understand why Google might decide that XMPP isn't sufficient for the kinds of features they'd like to support, and so deciding to develop something new in-house with their desired feature set. I really wish, though, they they would open a protocol that still allowed outside people to communicate.

I just find it insane how much we're moving back in the direction of "walled gardens" everywhere. There was a time when most people's exposure to online interaction were services like Compuserve, AOL, and Prodigy, and those services couldn't talk to each other. I think we're headed back in that direction, except that soon we'll all be on services like Google+, Facebook, and Twitter, and those services won't talk to each other.

We really need a revolution soon, or I think we're going to find that we don't like where we end up. I know it sounds trivial because these are all free services, and most of what's communicated on them is trivial anyway. Still, it's transforming the Internet into a less free place, where we're all at the whim of a small handful of companies. I think it's a bigger problem than we've yet realized.

Re:Google is dropping XMPP and Talk/Chat anyway

[Charliemopps]

It's about choice. I can understand that we should always have choice. But the idea that we shouldn't be able to "choose" a walled garden if we want one seems ass-backward to me. Do you remember CompuServe, AOL and prodigy? There were plenty of others as well... some of them were Awesome. I loved CompuServe. I wouldn't go back now... but if some people want to, why shouldn't they have the choice to do so? Googles pretty darned open compared to most other modern tech companies. If they want to offer some services that aren't as open, because it will make some people who don't care about openness have a better experience, why not? Let me know when "open" isn't a choice I can make. Then I'll get out my picket sign.

Re:Google is dropping XMPP and Talk/Chat anyway

[MoonlessNights]

They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs. As far as I can tell, this was purely to thicken the walls on the garden.

This is the problem with anyone becoming too big within an otherwise open space: there is no reason for them to play nice when they have de facto control. Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.

I have said almost word-for-word what you just said about walled gardens (even using Compuserve and AOL as examples) so I am totally in agreement with your concerns on that front.

Re:Google is dropping XMPP and Talk/Chat anyway

[Kimomaru]

I hadn't really thought of it that way, that we're moving back to walled gardens. It's kinda funny. Anyway, I guess people like the comfort and convenience of walled gardens. What really bums me out isn't that the large majority of people like them, but that highly technical people do as well. I know people who, no question, can install anything including an XMPP server on extremely cheap, low power consumption hardware and yet they don't bother. They find smartphones, Windows and Apple products too delightful. When Apple insists that only Apple users can use iChat with their phones, tablets, and desktops, it compells others to buy these products as well to stay in the loop.

So, yeah, out of principle I avoid IOS and Android and stay Debian/Open Source everywhere I can. It's not a perfect solution, but it's the best one I know of.

Re:Google is dropping XMPP and Talk/Chat anyway

[Pi1grim]

That's BS. All this achieves is pushes you into the same zoo of IM clients that stretches from the 90-s. ICQ, Odigo, MSN, Gadu, Skype, XMPP and now all the mobile IMs are all dreaming of being The One. I'm so glad all this corporate "there can be only one and it should be us" broke out after email was standartized. Because right now, several decades from it's invention, we're still stuck with it. No matter how ugly or unsuitable for modern needs the protocol is and how many ugly hacks have been applied to it. Just because this is the only universal communication method. You can send a message and receiver will get it regardless of what mail service it uses.

Back in the day google's tech team though that something similar should be done for IM market and supported XMPP. But then, they decided that this product was too good, to let other people, who don't use google's services to use it to contact the ones already in the Google's web of services. "Everyone should get a google ID." And now hopes of other players are even dimmer than they ever were. Looks like my dream, where people from facebook, google, univercity network and some corporate IM system can get into one conference and chat is a pipe dream.

I don't care for internal protocols, features and such. I just want interoperability between servers. Let john@google.com message jane@facebook.com and any other server that has supported XMPP server. I worked great for email, by the hell do you try to introduce walled gardens and cause pain to your users?

Not evil, but definitely rotting from within

[TrentTheThief]

Google is acquiring all of the arrogant bullshit attitudes and implementing arbitrary rules and standards just the same way that microsoft did.

It's a sad shame. But an evil empire smells not different from an empire that's rotting.

End to End is the goal

Why is why Google will drop XMPP. You can use plugins for true end-to-end encryption. This disallows Google from reading your chats which it will never stand for.

kinda misses the point.

[nimbius]

Google is pretty well seated in the back pocket of the US government. Even if they were to endorse TLS it doesnt preclude them from silently forwarding all your conversations to the NSA.
Voluntarily ceasing to federate is the logical conclusion to a software project run by people who care about their users, so nothing special here. However, voluntarily ablating yourself from Google, Facebook, Twitter, snapchat, and other "social" sites is probably a longterm goal to which we should all strive.

adblock, noscript, and ssl everywhere are all valid tools. For Android users AdAway can be found on F-Droid.org. Your alternative search engine is Duckduckgo.com, and although its nowhere near as powerful openstreetmaps can be used in place of google maps quite often. Alternative free email can be found at freeshell.org (it includes webmail too.) Use unbound for DNS recursion instead of Google, or use www.opennicproject.org.

To sell twice as many devices

[tepples]

Compromises over screen size are hardly an indication of being "less open"; im not even sure what "evil" spin you could put on that.

If the screen size never changes, then it's impossible to have two applications on the screen at once. This means apps run all maximized all the time despite a 7" tablet's screen being big enough for two phone apps, and if you want to see two apps running at the same time, you have to pay for twice as many devices.

Walled E-Mail: Facebook

[DrYak]

Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.

You haven't been using Facebook Messaging, recently ?
The only reason it's not considered such by all is that they still tactfully manage to avoid calling it "E-Mail".
But the set of functionality is very similar to any other webmail system (including attachement, etc.) minus the interoperability.

Re:Google Play Store in AOSP?

[Andy+Dodd]

In short, Play Store is NOT included with AOSP.

CM received a pretty nasty cease-and-desist letter from Google regarding gapps a few years ago. The "workaround" was that users could exctract the gapps suite from their device and reinstall it.

And yes, the current approach doesn't quite meet that legal definition, but what is protecting CM (and other projects) is that *they are not hosting gapps* - have you noticed that for any project, when you're instructed to get gapps, you're routed *elsewhere*?

Kinda screams "not included" to me.

(Note: CyanogenMod 10.2 on the Oppo N1 and CM 11S on the OnePlus One are special cases. These are the ONLY devices where CM has gone through the full GMS certification/approval process.)