We at jabber.at take security seriously. Of course the same also counts for our other hosted domains, jabber.zone and xmpp.zone.

​ This page contains a lot of buzzwords!

Security is a complex matter, talking about it inevitably includes lots of technical terms. If you do not understand these terms, please do not dispair. We try to give an easy explanation of what they mean for you, and include Wikipedia links if you want to dig deeper.

Transport Layer Security (TLS)

Transport Layer Security (TLS) (formerly known as SSL) encrypts the connections between parts of the Jabber network. It's also used with HTTPS vs. HTTP to encrypt website traffic. With Jabber, this doesn't mean that your conversation cannot be read by anybody else: It is available in plain text at our server and, if your buddy is on another server, that server as well. But it's still an important step towards keeping your conversation private, as no one in between can read it. We have made it a fundamental principle that every connection is always encrypted. Try it with our Homepage: Visit http://jabber.at and see how it immediately redirects to HTTPS. With Jabber, we require encryption for both client-to-server connections and server-to-server connections. Further more, we always opt for the strongest choice when configuring encryption. This means 4096 bit TLS certificates, DNSSec, We deactivate encryption methods ("TLS ciphers") no longer considered secure. A tool that verifies our strong encryption standards can be found on xmpp.net:

  • jabber.at: xmpp.net score
  • jabber.zone: xmpp.net score
  • xmpp.zone: xmpp.net score

Passwords

Unlike many other Jabber/XMPP servers, we no longer store passwords in plain text but hash them using SCRAM-SHA1. This means that even in the event of a data breach, passwords cannot be easily retrieved by the attacker.

Emails

If we send you emails (e.g. when registering or if you lost your password), our emails are secured with DKIM and SPF. This ensures that any emails you receive really do come from us.

If you configure a GPG key, all emails to you will also be encrypted with GPG.

Data storage

We store as little data as possible about you. This is important because it minimizes the damage in case of a security breach (or a search warrant by the government). Our privacy policy specifys exactly what data we store and why.

System administration

To minimize the risk of a security breach, our Jabber server really does nothing else. All other related tasks (including this homepage) run on different servers. Several people watch our servers closely to apply security updates as fast as possible and detect any attempt to break into our servers.

Improve the Jabber/XMPP network

We are proud that we have repeatedly lead the way towards stronger encryption on the Jabber network. In mid 2013, we were literally the only server that required server-to-server encryption, by now this situation has improved quite a bit.

By providing up-to-date ejabberd Debian/Ubuntu packages to the community (see APT repositories), not only our but also dozens of other servers profit from security updates - including some critical ones we push in between releases.