

A Public Statement Regarding Ubiquitous Encryption on the XMPP Network - fenollp
https://github.com/stpeter/manifesto/blob/master/manifesto.txt

======
yogsototh
A simple comment to share Jitsi[1]. It uses XMPP but also many other
protocols. It encrypt text/audio/video and even have a share and control
screen feature.

I discovered it Friday. Our team will certainly use it as a secure replacement
for Hangouts and Skype. My only complain is that it doesn't use my already
existing gpg keys.

[1]: [https://jitsi.org](https://jitsi.org)

------
anilgulecha
The pidgin client/libpurple library is notably unrepresented.

~~~
james2vegas
Yeah, the list seems impressive until you assemble a list of non-signatories.

------
dobbsbob
I always use a .onion xmpp server. Moxie has a review of gibberbot somewhere
on his blog and all its TLS failings

~~~
lambda
Looks like they disabled their faulty alternative trust manager, and are back
to using the built in one:

[https://github.com/guardianproject/ChatSecureAndroid/blob/50...](https://github.com/guardianproject/ChatSecureAndroid/blob/5008029f33cbc330cbc0aa884e7ef8622a3dad42/src/info/guardianproject/otr/app/im/plugin/xmpp/XmppConnection.java#L166)

------
Nerdfest
While I respect the effort, this doesn't really do much about thwarting the
NSA, assuming that's a big part of the reason for this. The suspicion is that
they have the master keys anyway and can decrypt SSL/TLS at will.

~~~
lambda
Some clients use certificate pinning of known popular XMPP hosts. For example,
ChatSecure (née GibberBot) on Android appears to use Moxie's certificate
pinning for cert chains of a few well-known Jabber servers (like Google and
Facebook's), so you will get a warning if they ever start presenting you with
new certificates from a different CA.

The implementation leaves a little to be desired; the way it's implemented,
any of the CAs for any of the pinned organizations could issue certs that
could MITM you, but that's still a lot less than the usual default list of CAs
in the system trust store.

~~~
dingaling
> appears to use Moxie's certificate pinning for cert chains

Marlinspike and Perrin actually proposed TACK (
[http://tack.io/draft.html](http://tack.io/draft.html) ) which requires
changes to TLS.

Certificate pinning is different ( simpler and less flexible ) and does not
require protocol changes, the logic is held at the application level.

