We at jabber.at take security seriously. Of course the same also counts for our other hosted domains, jabber.zone, xmpp.zone and jabber.wien.

Transport Layer Security (TLS)

Transport Layer Security (TLS) (formerly known as SSL) encrypts the connections between parts of the Jabber network. It's also used with HTTPS vs. HTTP to encrypt website traffic. With Jabber, this doesn't mean that your conversation cannot be read by anybody else: It is available in plain text at our server and, if your buddy is on another server, that server as well. But it's still an important step towards keeping your conversation private, as no one in between can read it. We have made it a fundamental principle that every connection is always encrypted. Try it with our Homepage: Visit http://jabber.at and see how it immediately redirects to HTTPS. With Jabber, we require encryption for both client-to-server connections and server-to-server connections. Further more, we always opt for the strongest choice when configuring encryption. This means 4096 bit TLS certificates, DNSSec, We deactivate encryption methods ("TLS ciphers") no longer considered secure. A tool that verifies our strong encryption standards can be found on xmpp.net:

  • jabber.at: xmpp.net score
  • jabber.zone: xmpp.net score
  • jabber.wien: xmpp.net score
  • xmpp.zone: xmpp.net score

We are proud that we have repeatedly lead the way towards stronger encryption on the Jabber network. In mid 2013, we were literally the only server that required server-to-server encryption, by now this situation has improved quite a bit. By providing up-to-date ejabberd Debian/Ubuntu packages to the community (see APT repositories), not only our but also dozens of other servers profit from security updates - including some critical ones we push in between releases.

Passwords

Unlike many other Jabber/XMPP servers, we no longer store passwords in plain text but use SCRAM-SHA1 to hash passwords.

Data storage

We store as little data as possible about you. This is important because it minimizes the damage in case of a security breach (or a search warrant by the government). We have a privacy policy specifying exactly what data we store and why.

System administration

To minimize the risk of a security breach, our Jabber server really does nothing else. All other related tasks (including this homepage) run on different servers. Several people watch our servers closely to apply security updates as fast as possible and detect any attempt to break into our servers.