Monal IM: Upgrade ejabberd on Debian NOW Chances might be that you are running a Debian based ejabberd server. Unfortunately push for all your Monal users on that server will break in less than 2 month. And chances are that some of your S2S connections are already failing today.

Some background

The Web-PKI is moving away from certificates having bot, the TLS Web Server Authentication and the TLS Web Client Authentication extended key usage enabled. Most CAs already stopped issuing certificates with t ... ⌘ Read more

Mathieu Pasquet: Poezio 0.16 Almost exactly one year since the last release, here is poezio 0.16.

Poezio is a terminal-based XMPP client which aims to replicate the feeling of terminal-based IRC clients such as irssi or weechat; to this end, poezio originally only supported multi-user chats and anonymous authentication.

Features

![A screenshot of poezio showing several test messages, with two of them moderated, one with a reason and the other without.](https://blog.mathieui.net/feeds/tag/images/po ... ⌘ Read more

Prosodical Thoughts: Upcoming changes to Let's Encrypt and how they affect operators On 11th February, Let’s Encrypt will be rolling out a change to the certificates they issue to servers by default. Although there is generally nothing that Prosody operators need to do, servers using the new certificates may experience problems connecting to some other XMPP servers on the network.

Certificate basics

First, a tiny bit of background on certificates. Certificate Authorities (CAs) such as Let’s Encrypt work by verify ... ⌘ Read more

Erlang Solutions: MongooseIM 6.4: Simplified and Unified MongooseIM is a scalable and efficient instant messaging server. With the latest release 6.4.0, it has become more powerful yet easier to use and maintain. Thanks to the internal unification of listeners and connection handling, the configuration is easier and more intuitive, while numerous new options are supported.

New features include support for TLS 1.3 with optional channel binding for improved security, single round-trip authent ... ⌘ Read more

JMP: Mitigating MITMs in XMPP In October 2023, Jabber.ru, “the largest Russian XMPP messaging service”, discovered that both Hetzner and Linode had been targeting them with Machine-In-The-Middle (MITM) attacks for up to 6 months. MITM attacks are when an unauthorised third party intercepts traffic intended for someone else. At the point of interception, the attacker can inspect and even modify that traffic. TLS was created to mitigate this; all communication between the two parties is encrypted, so the third party sees ... ⌘ Read more

JMP: Mitigating MITMs in XMPP In October 2023, Jabber.ru, “the largest Russian XMPP messaging service”, discovered that both Hetzner and Linode had been targeting them with Machine-In-The-Middle (MITM) attacks for up to 6 months. MITM attacks are when an unauthorised third party intercepts traffic intended for someone else. At the point of interception, the attacker can inspect and even modify that traffic. TLS was created to mitigate this; all communication between the two parties is encrypted, so the third party sees ... ⌘ Read more

ProcessOne: ejabberd 25.03

Release Highlights:

• [Matrix Gateway Gets Room Support](https://www.process-one.net/blog/rss/#matrix)
• [Multiple Simultaneous Password Types](https://www.process-one.net/blog/rss/#auth)
• [Execute API Commands Using XMPP Client](https://www.process-one.net/blog/rss/#adhoc)

If you are upgrading from a previous version, please check the [changes in SQL schemas](https://www.process-one ... ⌘ Read more

ProcessOne: ejabberd 24.12

Here comes ejabberd 24.12, including a few improvements and bug fixes. This release comes a month and half after 24.10, with around 60 commits to the core repository alongside a few updates in dependencies.

Release Highlights:

• [XEP-0484: Fast Authentication Streamlining Tokens](https://www.process-one.net/blog/rss/#484): Reduce the time it takes for authentication. This helps with a faster start for cl ... ⌘ Read more

Erlang Solutions: Top 5 Tips to Ensure IoT Security for Your Business In an increasingly tech-driven world, the implementation of IoT for business is a given. According to the latest data, there are currently 17.08 billion connected IoT devices– and counting. A growing number of devices requires robust IoT security to maintain privacy, protect sensitive data and prevent unauthorised access to connected devices.

A si ... ⌘ Read more

Isode: Harrier 4.0 – New Capabilities Harrier is our Military Messaging client. It provides a modern, secure web UI that supports SMTP, STANAG 4406 and ACP 127. Harrier allows authorised users to access role-based mailboxes and respond as a role within an organisation rather than as an individual.

You can find out more about Harrier here.

** ... ⌘ Read more

Snikket: Security notice: Snikket not affected by CVE-2024-3094 A security vulnerability was intentionally added to a widely used open-source project known as ‘xz’. This project is packaged in many operating systems, and a lot of software depends upon it. The vulnerability has been assigned the identifier CVE-2024-3094.

Systems with the vulnerable package may allow an attacker to gain unauthorized access to the system via SSH, if your system’s SSH server was linked to the affected packages.

Thankfully, the vulne ... ⌘ Read more

Ignite Realtime Blog: PionTurn plugin 1.0.0 released! The Ignite Realtime community is happy to announce the release of version 1.0.0 of the PionTurn plugin.

This version brings in the new long-term authentication compatible with the TURN REST format, bringing security to the latest standard.

And it also brings in a new mechanism for resolving domain names, making it possible to run the Pionturn plugin in a dynamic IP environment without having to worry about updating the IP.

Last but not ... ⌘ Read more

Mathieu Pasquet: slixmpp v1.8.5

Highlights

• Moving away from self-hosted gitlab (mathieui)
• Fix connection to Snikket instances (pep., mathieui)
• Performance fix for XEP-0115 queries
• New documentation listing projects using slixmpp (genghis)
• Bugfix and improvements (nicoco, mostly)

Details

• Gitlab migration: see the otherblogpost
• Fix connections to Snikket instances:

Snikket decided to forbid PLAIN authentication, which is good but exposed ... ⌘ Read more

Ignite Realtime Blog: Non-SASL Authentication Openfire plugin 1.1.0 released! We’ve just released version 1.1.0 of the Non-SASL Authentication plugin for Openfire! This release fixes a compatibility issue with Openfire 4.8.0.

The Non-SASL Authentication plugin provides an implementation for authentication with Jabber servers and services using the jabber:iq:auth namespace, as specified in XEP-0078: Non-SASL Authentication. ... ⌘ Read more

Ignite Realtime Blog: CVE-2023-32315: Openfire vulnerability (update) A few months ago, we published details about an important security vulnerability in Openfire that is identified as CVE-2023-32315.

To summarize: Openfire’s administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environ ... ⌘ Read more

Isode: Harrier 3.3 – New Capabilities Harrier is our Military Messaging client. It provides a modern, secure web UI that supports SMTP, STANAG 4406 and ACP 127. Harrier allows authorised users to access role-based mailboxes and respond as a role within an organisation rather than as an individual.

![Harrier Inbox view (behind) showing Military Messaging security label and priority parameters; and Message view (in front).](https://www.isode.com/company/wordpress/wp-content/uploads/2023/06/Harrier-M ... ⌘ Read more

Ignite Realtime Blog: CVE-2023-32315: Openfire Administration Console authentication bypass We’ve had an important security issue reported that affects all recent versions of Openfire. We’ve fixed it in the newly published 4.6.8 and 4.7.5 releases. We recommend people upgrade as soon as possible. More info, including mitigati ... ⌘ Read more

JMP: SMS Account Verification Some apps and services (but not JMP!) require an SMS verification code in order to create a new account.  (Note that this is different from using SMS for authentication; which is a bad idea since SMS can be easily intercepted, are not encrypted in transit, and are v ... ⌘ Read more

Prosodical Thoughts: Bringing FASTer authentication to Prosody and XMPP As our work continues on modernizing XMPP authentication, we have some more new milestones to share with you. Until now our work has mostly been focused on internal Prosody improvements, such as the new roles\ and permissions framework. Now we are starting to extend our work to the actual client-to-server protocol in XMPP.

Prosody and [Snikket](https://snik ... ⌘ Read more

JMP: SMS Account Verification Some apps and services (but not JMP!) require an SMS verification code in order to create a new account.  (Note that this is different from using SMS for authentication; which is a bad idea since SMS can be easily intercepted, are not encrypted in transit, and are v ... ⌘ Read more

JMP: SMS Account Verification Some apps and services (but not JMP!) require an SMS verification code in order to create a new account.  (Note that this is different from using SMS for authentication; which is a bad idea since SMS can be easily intercepted, are not encrypted in transit, and are v ... ⌘ Read more

Arnaud Joset: Updates: chatty server and HTTPAuthentificationOverXMPP It's been a long time since I updated this blog. It will be a short update post about two projects.

chatty_server

The first is chatty_server, a small XMPP bot I use to interact with my server. It allows me to get information about the CPU load, traffic, weather etc. It also has a small feature to get reminder messages. There was a bug that allowed anyone to spam reminders. Anybody can add the bot to their rooster and could create random reminders t ... ⌘ Read more

Kaidan: Encrypted Audio and Video Calls

Kaidan will receive a grant by NLnet for adding encrypted audio and video calls.

The calls will be end-to-end encrypted and authenticated via OMEMO. Furthermore, Kaidan will support small group calls. We strive for interoperability between Kaidan and other XMPP apps supporting calls. In order to achie ... ⌘ Read more

Ignite Realtime Blog: REST API Openfire plugin 1.8.1 released! Earlier today, version 1.8.1 of the Openfire REST API plugin was released. This version removes the need to authenticate for status endpoints, adds new endpoints for bulk modifications of affiliations on MUC rooms, as well as a healthy number of other bugfixes.

The updated plugin should become available for download in your Openfire admin console in the course of the next few hours. Alternatively, you can download the pl ... ⌘ Read more

Prosodical Thoughts: Modernizing XMPP authentication and authorization We’re excited to announce that we have received funding, from the EU’s NGI Assure via the NLnet Foundation, to work on some important enhancements to Prosody and XMPP. Our work will be focusing on XMPP authentication and authorization, and bringing it up to date with current and emerging best practices.

What kind of changes are we talking about? Well, there are a few aspects we are planning to work on. Let’s start with “authent ... ⌘ Read more