J'ai publié il y a quelques mois un tuto pour mettre en place "facilement" un serveur XMPP/Jabber avec Prosody et du SSL/TLS plutôt bien configuré sous Debian, j'ai eu pas mal de retours positifs depuis et je pense qu'il pourrait intéresser d'autres personnes.
So today I want to tell you about a little side project that I worked on over the Christmas break in between eating, watching cricket and napping. I added XMPP termination and proxy support to nginx.
This is a big post because I want to cover everything: background, rationale, implementation detail and so on. As I wrote the outline it occurred to me that this would make a really interesting talk. Maybe one day if I find an appropriate venue that could happen!
If you just want to use the thing, go and get it from GitHub: https://github.com/robn/nginx-xmpp
Lets get started.
Nous ne pouvons pas faire confiance aux gouvernements et encore moins aux entreprises pour assurer notre sécurité et notre vie privée. Nous pouvons, par contre, nous appuyer sur la société civile (comme l'EFF (eff.org) ou La Quadrature du Net, les lanceurs d'alerte (comme Chelsea Manning ou Edward Snowden) et sur des outils qui ne nous trahiront pas, comme les logiciels libres. La cryptographie fonctionne ! Et c'est une des nouvelles importantes de ces révélations. Il existe des tutoriaux partout sur le net pour se mettre à chiffrer ses communications. Je vous laisse aller voir OTR pour Jabber (messagerie instantanée), SSL/TLS pour à peu près tout (mails, chat,...), GPG (qui demande un niveau technique un peu supérieur), Tor, et surtout, surtout, je vous invite à venir à des cryptoparty / café vie privée pour apprendre à s'en servir :)
Converse.js is an open source webchat client, that runs in the browser and can be integrated into any website.
e fais juste passer le mot pour ceux qui ont des serveurs XMPP que des tests globaux se mettent en place, suite à la volonté de rendre le chiffrement obligatoire sur XMPP (il est possible mais facultatif pour le moment, cf. http://xmpp.org/2013/11/xmpp-ubiquitous-encryption-a-manifesto/ ).
La version anglophone: http://xmpp.org/2013/11/ubiquitous-xmpp-encryption-test-day-01/ .
Le calendrier:
le 4 janvier est le premier jour de test d'un chiffrement global avec XMPP. Le but est de savoir ce qui casse quand tous les serveurs/clients XMPP activent la communication chiffrée.
22 février 2014: deuxième jour de test
22 mars 2014: troisième jour de test
19 avril 2014: quatrième jour de test
19 mai 2014: basculement définitif
Aussi les administrateurs de serveurs XMPP doivent vérifier sa sécurité sur http://XMPP.net
Les développeurs d'outils XMPP doivent fournir la configuration minimale pour pouvoir passer les tests sur http://wiki.xmpp.org/web/Securing_XMPP
Tout le monde peut signer le manifeste (avec une « pull request » Sign the manifesto [NDR: et si on n'a pas de compte github ???]): https://github.com/stpeter/manifesto
Le message original est de Simon Tenant sur la liste de diffusion jdev
Tor+federation
One lesser known feature of Tor are hidden services. A user of Tor can set up a server that runs completely inside the Tor network, with a hostname ending in .onion. Users connecting to that host will be guaranteed they are connected to the right host (the server can prove it owns that .onion address), yet the owner of the host will be completely anonymous. Nothing in the protocol will reveal the computer the server runs on.
So here comes what I’ve been working on: federation between hidden services. There are a handful of XMPP servers that also offer a hidden service (for instance, jabber.ccc.de is also reachable as okj7xc6j2szr2y75.onion), but that uses Tor only for the client’s connection.
My goal is to allow users on abcdefghijklmnop.onion to chat with users on zyxwvutsrqponmlk.onion entirely through the Tor network. If everyone installed a local, Tor-federated XMPP server, maybe as a plugin for Adium or Pidgin, then all communication would become very difficult to trace. It can be totally decentralized: no third-parties are needed for two people to chat. No third parties know anything more about the occurrence of chats or the links between people. New identities can be created in seconds. All of this while still supporting many of the features of XMPP: any normal XMPP client with Tor support can be used.
Inspired by some recent discussion on the prosody-users mailing list, I started working on a tool to investigate the strength of the encryption an XMPP server offers. https://www.ssllabs.com/ has such a test, which gives a server a grade between A and F and shows a lot of helpful information about the SSL configuration, what features might be considered weak or undesirable, issues with the chain, etc. However, this only grades HTTPS servers, with no support for XMPP. // série de 3 billets, suite : https://blog.thijsalkema.de/blog/2013/08/28/the-state-of-tls-on-xmpp-2/ et https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/
Defending yourself against the NSA, or any other government intelligence agency, is not simple, and it's not something that can be solved just by downloading an app. But thanks to the dedicated work of civilian cryptographers and the free and open source software community, it's still possible to have privacy on the Internet, and the software to do it is freely available to everyone. This is especially important for journalists communicating with sources online.
You may not be able to run your own email or instant messaging server software but you may know a trusted entity (friend, organization) who (knows someone who) runs his own server and can create an account for you: a server you can trust and which does not do business by collecting your data. On your side, you need some appropriate software that additionally does crypto, and there we go!
A quick example:
an open standard for instant messaging is XMPP (formerly called Jabber);
existing XMPP servers I trust are jabber.ccc.de and xmpp.telecomix.org (it is also possible to run one yourself);
easy-to-use FLOSS clients allow you to connect to any XMPP server: Pidgin (with the OTR plugin for encryption) for Windows and GNU/Linux, Adium for Mac OS, Jitsi for these three platforms, Gibberbot for Android, etc.
See? No need of a US-based Gmail, Facebook or a Russia-based ICQ. Go further with other usages, by consulting this or this lists of relevant software.
This article does deliberately not cover in detail software solutions and technical considerations, nor issues related to the need of anonymity and to the importance of meta-data. It shows that decent privacy improvements can be made with little effort and that it can make a substantial change if massively applied. You can move on with this good pedagogical introduction from Quinn Norton.
So, remember: decentralization and cryptography through appropriate tools and behavior.
Do not expect laws to efficiently protect your privacy, as secret services will increasingly have means to silently and massively circumvent law obligations.
If governments wanted to promote privacy (and, through this, free speech and democracy), they would setup teaching of these key concepts to children at school and would promote FLOSS and internet decentralization. For now, they are mostly going the opposite way - corruption talks.
Si on veut faire de la messagerie instantanée en utilisant un protocole ouvert, avec du logiciel libre, sans serveur centralisé, la solution est le protocole XMPP, normalisé dans le RFC 6121. XMPP, comme le courrier électronique, repose sur le principe de fédération. Mais bien des réseaux bloquent (stupidement, mais c'est une autre histoire) XMPP en sortie. Si SSH passe, une solution possible est de faire passer XMPP sur SSH.
Google users can still send subscription requests to contacts whose accounts are hosted elsewhere. But they cannot accept incoming requests. This change is akin to Google no longer accepting incoming e-mail for @gmail.com addresses from non-Google domains. That would be unthinkable.