We at jabber.at take security seriously. Of course the same also counts for our other hosted domains, jabber.zone and xmpp.zone.

​ This page contains a lot of buzzwords!

Security is a complex matter, talking about it inevitably includes lots of technical terms. If you do not understand these terms, please do not despair. We try to give an easy explanation of what they mean for you, and include Wikipedia links if you want to dig deeper.

Transport Layer Security (TLS)

Transport Layer Security (TLS) (formerly known as SSL) encrypts the connections between parts of the Jabber network, the same method that is used to encrypt website traffic (HTTPS). We always require encryption and use only the strongest available encryption methods. This means 4096 bit TLS certificates and no insecure encryption methods ("TLS ciphers").

​ TLS is no "end to end" encryption. Messages are still available in plain text on our server, unless both sides of your conversation use a client with end to end encryption.

A tool that verifies our strong encryption standards can be found on xmpp.net:

  • jabber.at: xmpp.net score
  • jabber.zone: xmpp.net score
  • xmpp.zone: xmpp.net score

DNSSec and DANE

Our domains are secured with DNSSec. This means that Domain lookups (which let your computer know what IP address is used for our domain) are cryptographically signed and cannot be altered by an intermediary party.

We further use DANE. It allows your client to verify that the TLS certificate it sees is indeed the one we use.

Passwords

Unlike many other Jabber/XMPP servers, we no longer store passwords in plain text but hash them using SCRAM-SHA1. This means that even in the event of a data breach, passwords cannot be easily retrieved by the attacker.

Emails

If we send you emails (e.g. when registering or if you lost your password), our emails are secured with DKIM and SPF. This ensures that any emails you receive really do come from us.

If you configure a GPG key, all emails to you will also be encrypted with GPG.

Data storage

We store as little data as possible about you. This is important because it minimizes the damage in case of a security breach (or a search warrant by the government). Our privacy policy specifies exactly what data we store and why.

System administration

To minimize the risk of a security breach, our Jabber server really does nothing else. All other related tasks (including this homepage) run on different servers. Several people watch our servers closely to apply security updates as fast as possible and detect any attempt to break into our servers.

Improve the Jabber/XMPP network

We are proud that we have repeatedly lead the way towards stronger encryption on the Jabber network. In mid 2013, we were literally the only server that required server-to-server encryption, by now this situation has improved quite a bit.

By providing up-to-date ejabberd Debian/Ubuntu packages to the community (see APT repositories), not only our but also dozens of other servers profit from security updates - including some critical ones we push in between releases.