This makes me reconsider using XMPP as my main messenger. Not sure what I'd switch to yet.

@snikket_im does your setup also have the ability to log passwords in plain text?

@r perhaps, but them getting hacked makes me not super excited to use it.

@joseph was hacked? share URL please. want to read, too.

@joseph saw the old news - it wasn't the messaging software that was hacked, but one of their tools (Jenkins).

@r that was how access was gained, yeah, but access was still gained.

@joseph What's the issue? Other than a sensationally written article with scare tactics?

@hund mainly the portion about being able to log passwords in plain text. Admins being able to log in as you is an issue for anyone not self hosting.

@hund @joseph
I read nothing new.
Don't let others hack your server.
Only use open source clients with e2ee.
If the NSA or Mossad are after you, no popular software will help you.
If you host your server at home, how good is your doorlock?

@rudolf @hund This assumes you are the one hosting the server, in which case, this isn't an issue. Most users aren't going to be hosting their own server, and logging passwords in plain text is an issue.

@joseph @rudolf Prosody does not log passwords in clear text, even with debug logging enabled.

@joseph Out of the box, no (even if you enable debug logging in the config).

If you dig into internals and know what you're doing, it is possible to modify things so that passwords are logged at two points: 1) when creating an account 2) when changing your password

A password is necessarily known to the service (XMPP or not) that you authenticate to, that's the point of them 🙂

Best practices for services are to not store or log passwords. We don't log, and we hash before storing 👍

@joseph In general the article you cited is very biased against XMPP, and borders on scaremongering. It highlights lots of "problems", while ignoring that they have solutions, or cannot be solved (by anyone).

E.g. half the article obsesses about the fact that the service sees IP addresses. This should be no surprise to anyone - this is how the internet works, not an XMPP thing. That's why Tor and VPNs are widely known solutions if you need to hide your IP from websites and services you use.

@snikket_im my main concern was obtaining passwords in plaintext to be as easy as changing the log level. If I'm recommending XMPP to people that aren't going to self host, I don't want them to end up on a random server on which the admin could easily impersonate them.

@joseph Passwords are to protect the account from unauthorized strangers, not from the server operator. Not logging/storing plaintext passwords is to protect against database/server compromise, not against a malicious operator.

E.g. consider that the operator can simply reset a user's password, but also (with some modifications) bypass password auth entirely if they want to.

Verified E2EE is the primary safeguard against this *whatever* platform/protocol you use. XMPP itself is not the fault.

@joseph There are no practical communication platforms/protocols where you don't have to trust someone. The best you can do is distribute that trust across many people (e.g. Tor, which Briar uses). But this isn't always feasible, which is why such platforms usually have significant limitations.

We see XMPP as a solid middle-ground that is decentralized to the extent that most people need. We promote self-hosting and try to make it easy, and ensure that people know who they place their trust in.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.