[JDEV] Security/Encryption Issues

[Michael Brown]

I've just been mulling over the issues with Jabber security and have come up
with the following points...

Instant Messaging (and ICQ in particular) have come under heavy fire in the
past for not being very secure.  I know of cases where people have been
banned from using ICQ at work because it is a "security risk".  This bad rap
is probably not that well deserved when compared to other insecure tools
that companies use quite happily (such as email), however it occurs to me
that since this perception is already in place it is something that Jabber
is also going to have to live with.

I would also say that Jabber is actually _less_ secure than ICQ, as with ICQ
online messages are send directly from user to user.  With Jabber each
message can go through many servers, and since Jabber is open source, it is
a relatively simple change for my ISP (someone elses ISP or anyone who is
able to set up Linux with a Jabber server) to insert some code into their
server that logs the contents of each message someone sends, along with who
they sent it to and when.

If Jabber can solve this security issue early enough on, then it will have a
serious advantage/selling point not only over all the other non-secured IM
systems out there, but also over email.  This would make Jabber a strong
player in the e-business/corporate world.

With the number of Jabber clients currently in the works, it looks less and
less likely that they will ever all support a common encryption protocol,
which will leave encryption as one of those "nice to have, but optional"
add-on features that a few clients support but no one ever really uses
because no one that they know is running the same client as them.

In order to make it easier to implement encryption, we really need a) a
standard, and b) to come up with a standard (L)GPL library for each major
platform - similar to how JabberCOM is used in most of the Win32 Jabber
clients.

Now is a good time to try to convince people that encryption is a good
thing, with all the publicity that Carnivore is getting.

Each client should display some form of indication as to wether or not the
message that they are reading/writing is signed/encrypted/secure.  (ie in
the form of a locked/unlocked icon etc.)

Every Jabber <=> Jabber message should be encrypted and signed - for any
message to an external IM system it should be made obvious that it is NOT
secure and could have been spoofed.

IMO, the Jabber Roster Items _must_ be changed ASAP to include an encryption
public key property.  If encryption is going to be used as the rule rather
than the exception, it only makes sense that you automatically get the key
for each person in your roster when you log in.  It is not practical to
fetch someones vCard each time you go to send them a message (even assuming
that they have a public key stored in their vCard) and if that is required
the chances are that most client developers are going to skip this step.

Ideally I would prefer that there was some message to also encrypt the
sender and destination address so that anyone scanning could not tell who I
was or who I was sending to, but I guess that would require an entire
redesign of the protocol.  <Sigh>.  At least the message contents should be
encrypted.

Comments?  Flames?  Is this being actively worked on?

Michael.