How secure is jabber?

Hello,
on nearly all websites I can find comments like Jabber is
more secure
than the XYZ-Messenger protocol, sorry but I dont understand
why... I
guess I misunderstand something.

1.)A new user choose jabber.org as login server.
Unfortunately
something changes at jabber.org and the server goes down for
some
hours, the user choose another server from a list, that
server have to
many downtimes, he choose a 3rd. But how secure is this?
Everyone can
download the server software, run his own jabber server, and
maybe add
this server to some server lists. Maybe with some server
software addon
to spy out the userdata. I want not assume anything, but
where is the
"security" at this part?

2.)SSL/TSL
I notice that a lot of user think SSL/TSL is
"safer" for the messages,
but if I understand SSL correctly it only do the following:
User<->plain text<->SSL<->encrypted data
transfer<->SSL<->plain
text<->server
Apart from the case that some client/server only use SSL
for
Password/Username (If I understand this SSL within Jabber
correctly) ,
where is the "security". Why a lot of user want to
use SSL, I don't
understand this hype. They all fear that someone spy at
their internet
connection?

Sorry, for this noob question, but I can't understand both
things...

Peter



_______________________________________________
This is JUser -- a mailing list for end
users of Jabber clients.

To unsubscribe, go to the following web 
page, scroll all the way down, and type 
in your email address:

http://
mail.jabber.org/mailman/listinfo/juser
_______________________________________________

Hi Peter!


Peter Flindt schrieb:
> 1.)A new user choose jabber.org as login server.
Unfortunately
> something changes at jabber.org and the server goes
down for some
> hours, the user choose another server from a list, that
server have to
> many downtimes, he choose a 3rd. But how secure is
this? Everyone can
> download the server software, run his own jabber
server, and maybe add
> this server to some server lists. Maybe with some
server software addon
> to spy out the userdata. I want not assume anything,
but where is the
> "security" at this part?

You get a different account (address, password, ...) on the
other
servers. There is no roaming of accounts between servers.

So you have to take your account on a server you trust, but
you do not
have to trust the whole network for this.

> 2.)SSL/TSL

... TLS, not TSL ...

> I notice that a lot of user think SSL/TSL is
"safer" for the messages,
> but if I understand SSL correctly it only do the
following:
> User<->plain text<->SSL<->encrypted
data transfer<->SSL<->plain
> text<->server
> Apart from the case that some client/server only use
SSL for
> Password/Username (If I understand this SSL within
Jabber correctly) ,
> where is the "security". Why a lot of user
want to use SSL, I don't
> understand this hype. They all fear that someone spy at
their internet
> connection?

Yes ... TLS does only encryt connection. So when you only
rely on TLS
for securing your messages, you have to trust your server
again, as the
message is available in clear there.
But there are other protocols (RFC 3923, several JEPs, OTR,
...) to do
end-to-end encryption.

If the client uses TLS to do authentication, than the whole
connection
will be protected by TLS. There is no way in XMPP/Jabber to
drop the TLS
layer at a later point.
(Well you could just switch the cipher in the TLS layer to
the NULL
cipher, but this does not make any sence, and also I don't
think any
client has even implemented that - why should it?)



Matthias


-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

_______________________________________________
This is JUser -- a mailing list for end
users of Jabber clients.

To unsubscribe, go to the following web
page, scroll all the way down, and type
in your email address:

http://
mail.jabber.org/mailman/listinfo/juser
_______________________________________________

Matthias Wimmer wrote at 30.06.2007 :
> ...
> So you have to take your account on a server you trust,
but you do not
> have to trust the whole network for this.
> ...
> Matthias

AHHH, seems so I had understand both parts correctly,
thanks to make the things clearly.

Peter



_______________________________________________
This is JUser -- a mailing list for end
users of Jabber clients.

To unsubscribe, go to the following web 
page, scroll all the way down, and type 
in your email address:

http://
mail.jabber.org/mailman/listinfo/juser
_______________________________________________