While watching the recent State of the Onion talk, there was some discussion about XMPP, OTR, and libpurple security. (Half-way through) https://media.ccc.de/v/32c3-7307-state_of_the_onion#video
Granted, some of it was in reference to promoting Ricochet although there were some valid points regarding rosters and possibly even at the protocol schema itself. Focusing on the servers, we have pushed for more federated encryption this year (despite the 2048 vs 4096 argument) which is good, and the fact that more s2s connections require TLS and SASL for encryption and authentication still put us in a better that than email currently as we can mostly verify our endpoints. Of course theres always DNSSEC as well which seems to be getting heavier implementation is Germany i hear. There were also discussions regarding Diffie-Hellman, ECC and TLS certificates if reference to pre-computational passive attacks that should not be ignored. https://media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#video Client side, we still have a wide problem with libpurple being everywhere and as well as being a "flock of 0days flying in formation". (Tor talk) There was also an interesting article that covers more of the concerns with the clients themselves, but being a server operators list, i will just leave this here. https://motherboard.vice.com/read/secure-messaging-might-not-be-so-secure-otr-libpurple Mostly my point was just to throw these concerns out and to see what more can we do as a community to ensure the security of ourselves and others does not become stagnate. There is a war on for our privacy and data, and its our duty to stay vigilant. “Just because you're paranoid doesn't mean they aren't after you” Thanks to all you operators and Happy New Year. -- The Internet is changing, consider securing your messages with PGP. https://keybase.io/psjbeisler/key.asc
