Miscellaneous

The XMPP Standards Foundation has published a security notice describing an uncontrolled resource consumption vulnerability in several XMPP server implementations that support application-layer compression. Details can be found at https://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/.

On December 20th 2013 the XSF received some very exciting news, to end what had already been a great year - ISOC were awarding the XMPP community an incredibly generous gift to help support the work we are doing in improving privacy and security. In their own words: “The Internet Society takes a great interest in projects that will improve our existing mechanisms for on-line privacy and trust and we appreciate the XMPP Standards Foundations leadership in securing XMPP services in the wake of recent events.[Read More]

Peter Saint-Andre has created a Manifest for others to join, debate and discuss about a plan for upgrading the XMPP network to always-on, mandatory, ubiquitous encryption. https://github.com/stpeter/manifesto To quote Peter: In short: we owe it to those who use XMPP technologies to improve the security of the network (and thanks to Thijs Alkemade, we now have better ways to test such security, using the newly-launched “IM Observatory” at xmpp.net). Although we know that channel encryption is not the complete answer, it’s the right thing to do because it will help to protect people’s communications from prying eyes.[Read More]

The XMPP Standards Foundation has advanced XEP-0301 (In-Band Real Time Text) from Experimental to Draft in its standards process. This technology enables “conversational text” to be exchanged instantly while it is being typed or created, which has applications in live speech transcription, systems for the deaf and hard of hearing, and other situations where speech is not practical.

XEP-0297, which defines a method for forwarding XMPP stanzas from one entity to another, has been advanced to a status of Draft within the XSF’s standards process.

The XMPP Standards Foundation has advanced the Server Dialback protocol specification (XEP-0220) to a status of Draft. Although this protocol was originally defined in RFC 3920, it was moved to XEP-0220 in 2007 when work began on the updated XMPP RFCs, and the documentation has been continually improved since then.

Today the XMPP Council advanced XEP-0288 from Experimental to Draft in the XSF’s standards process. This specification decreases the number of sockets necessary for server-to-server connections and also removes some of the practical barriers to connection multiplexing in the Server Dialback protocol.

The Prosody dev team has been quite busy - here is the details from their mailing list announcement: We are proud to present you with the release of Prosody 0.9.0. Prosody is a lightweight XMPP server, written in Lua. We focus on simplicity, ease-of-use and efficiency - which is why you can find Prosody running just about anywhere from embedded systems all the way up to large-scale services. For a full run-down of the release, in colour, please see our blog[Read More]

With support for audio and video calls, Jitsi has long had one of the richest Jingle implementations. Now the project has added even more on top of that: Multiparty Video Conferencing. One of the most prominent new features in the 2.0 release is Multiparty Video Conferencing. Such conferences can work in an ad-hoc mode where one of the clients relays video to everyone else, or in cases that require scalability, Jitsi can use the Jitsi Videobridge: an RTP relaying server controlled over XMPP.[Read More]

Some implementations of the XMPP Server Dialback protocol have not been checking dialback responses to ensure that validated results are correlated with requests. Please see https://xmpp.org/resources/security-notices/server-dialback/ for detailed information about this important security notice.