Security of XMPP-based Instant Messaging Systems: Present and Future
Increasingly, many use solutions based on XMPP (Jabber) for instant messaging, in varying degrees, rejecting ICQ. This approach is certainly the right one in view of the openness of Jabber - everyone can choose which server to use for him or even organize the work of his own. Also, the XMPP protocol has proven itself in the corporate environment, and many companies have been successfully using Jabber for a number of years along with e-mail to exchange information.
It is believed that communication solutions based on the Jabber protocol are the least vulnerable from the point of view of information security. In this article I will try to analyze whether this is in fact true and what real prospects XMPP protocol has in this direction. The question will be considered in the context of using the protocol for the exchange of messages for personal purposes in public and private services, as well as in corporate conditions.
Jabber for personal communication
For personal communication, Jabber began to be used massively relatively recently, which causes the actual absence of commercial spam (or spim in the XMPP Standards Foundation terminology). I specifically focused on the absence of commercial spam, because currently there are sporadic mailing on large jabber servers, which are organized using Python scripts by “schoolchildren” just for fun and are not aimed at promoting any goods and services. In the near future, commercial spam may appear in Jabber, however, it should not receive mass development like in ICQ. The prerequisites of this are well written in this post.
XMPP is an open and extensible protocol, which does not limit the developers in writing all kinds of shapers and filters. So, qip.ru jabber-server successfully operates URL- and JID-filters, and on jabber.ru you can enable muc-filter in your conference using a third-party service (bot). Plus, Jabber has the ability to activate privacy-lists, allowing the user to regulate the receipt of messages from contacts, including those not from the roster.
It should be noted that XEP-0159 exists and is developing, describing methods for blocking unwanted messages.
')
At the moment, the problem of flood attacks in Jabber is still relevant. At the same time, such attacks on a specific JID of the user are difficult, firstly because of the shapers, which limit the amount of information transmitted per server on the server side, and secondly, due to the possibility of using privacy lists.
Attacks at jabber conferences are gradually becoming a thing of the past - you can fight them by turning on the captcha protection in the room settings (if the server supports this functionality). However, there is a reverse side of the coin - with multiple requests for captcha, there may be a denial of service for the captcha generation service itself (which will make it impossible to enter all chats on the attacked server protected in this way), and the node as a whole.
One of the most popular out-of-the-box jabber servers, Ejabberd , stores passwords in the clear, but using ODBC it is possible to implement storing passwords in the form of an md5 hash (using this patch, for example).
Malicious software compromising JID user passwords is very small. As a rule, these are modifications of various open source clients that are distributed through mailings in popular jabber conferences. A malicious modification of the popular mobile jabber-client Bombus, which sends the entered JID and password to a specific e-mail (Trojan-PSW.J2ME.Bomzuz.a in the classification of Kaspersky Lab), was discovered not long ago. In this case, users can only be advised to beware of such modifications and to download client programs only from official / trusted resources.
Almost all currently existing jabber-servers are not protected from brute force attacks, which are not yet massively observed, but in principle are possible. This situation is fixable - temporary locks will help solve the problem, limiting the number of attempts to enter a password.
Almost all large servers have the ability to establish secure connections using ssl / tls encryption, which eliminates the possibility of interception of passwords and correspondence. Encryption is also easy to configure on your own server.
In ICQ some time ago it was also possible to enable secure data transfer, but after the purchase of this service by the Mail.Ru Group holding, this function stopped working. This is due to the fact that AOL has not sold the implementation of this feature.
Some client programs allow using a special plug-in to additionally encrypt the transmitted information using GPG and OTR. At the same time, it is necessary that such a plugin be installed on both users.
Jabber as a means of communication in a corporate environment
When using Jabber in an enterprise environment, various types of services with unrestricted access from outside (jabber-conferences, transports, vcard-vjud search service) are basically a potential threat.
Jabber conferences are definitely a very convenient means of communication. However, quite often, administrators of corporate xmpp servers forget to close access to conferences on s2s (that is, for users of other servers) and important corporate information may be in the public domain. Also, attackers can organize a flood-attack conferences on an unprotected service, which can later lead to a denial of service for the xmpp server as a whole.
Transports that are open to users of all servers can help attackers to hide their real IP (for example, if a third-party user registers on an IRC transport, he will go into the IRC chat with an IP that the enterprise Jabber server has). In the case of other transports (ICQ, MRA, etc.), third-party users can create an extra load, thereby reducing the fault tolerance of the service.
The most dangerous are open search services for public access to data from a business card (vjud). Very often, a jabber server takes data for vcard from internal sources (when using LDAP, for example) and as a result, private information about an employee (personal and business e-mail, phone numbers, department name and even home address) may appear in the vcard. Attackers can organize an automated search through vjud by popular names and surnames, thereby obtaining data intended for official use).
Administrators of corporate jabber-servers need to closely monitor the modules run and disable or close access to unused services.
Administrators of both corporate and private servers need to be more attentive to the policy of registering new users. In the case of a corporate server, open registration must be banned altogether, since the employee's account must be acquired by the administrator at the time of accepting him to work along with other internal accounts. In the case of a private server, it is advisable either to limit the registration of new accounts (for example, using captcha), or to disable this feature.
Summary
Despite the growing popularity of the Jabber protocol, threats are still non-commercial in nature. However, in the near future it is possible to activate commercial spam mailings, as well as messages containing malicious links. However, due to its extensibility, the protocol allows effectively countering such threats and minimizing the likelihood of undesirable content being received by end users.
Jabber as a corporate communication tool is safe and reliable, but server administrators should carefully monitor the level of access to services.
It is believed that communication solutions based on the Jabber protocol are the least vulnerable from the point of view of information security. In this article I will try to analyze whether this is in fact true and what real prospects XMPP protocol has in this direction. The question will be considered in the context of using the protocol for the exchange of messages for personal purposes in public and private services, as well as in corporate conditions.
Jabber for personal communication
Spam messages
For personal communication, Jabber began to be used massively relatively recently, which causes the actual absence of commercial spam (or spim in the XMPP Standards Foundation terminology). I specifically focused on the absence of commercial spam, because currently there are sporadic mailing on large jabber servers, which are organized using Python scripts by “schoolchildren” just for fun and are not aimed at promoting any goods and services. In the near future, commercial spam may appear in Jabber, however, it should not receive mass development like in ICQ. The prerequisites of this are well written in this post.
XMPP is an open and extensible protocol, which does not limit the developers in writing all kinds of shapers and filters. So, qip.ru jabber-server successfully operates URL- and JID-filters, and on jabber.ru you can enable muc-filter in your conference using a third-party service (bot). Plus, Jabber has the ability to activate privacy-lists, allowing the user to regulate the receipt of messages from contacts, including those not from the roster.
It should be noted that XEP-0159 exists and is developing, describing methods for blocking unwanted messages.
')
Flood attacks aimed at user jid or conference
At the moment, the problem of flood attacks in Jabber is still relevant. At the same time, such attacks on a specific JID of the user are difficult, firstly because of the shapers, which limit the amount of information transmitted per server on the server side, and secondly, due to the possibility of using privacy lists.
Attacks at jabber conferences are gradually becoming a thing of the past - you can fight them by turning on the captcha protection in the room settings (if the server supports this functionality). However, there is a reverse side of the coin - with multiple requests for captcha, there may be a denial of service for the captcha generation service itself (which will make it impossible to enter all chats on the attacked server protected in this way), and the node as a whole.
Password Security
One of the most popular out-of-the-box jabber servers, Ejabberd , stores passwords in the clear, but using ODBC it is possible to implement storing passwords in the form of an md5 hash (using this patch, for example).
Malicious software compromising JID user passwords is very small. As a rule, these are modifications of various open source clients that are distributed through mailings in popular jabber conferences. A malicious modification of the popular mobile jabber-client Bombus, which sends the entered JID and password to a specific e-mail (Trojan-PSW.J2ME.Bomzuz.a in the classification of Kaspersky Lab), was discovered not long ago. In this case, users can only be advised to beware of such modifications and to download client programs only from official / trusted resources.
Almost all currently existing jabber-servers are not protected from brute force attacks, which are not yet massively observed, but in principle are possible. This situation is fixable - temporary locks will help solve the problem, limiting the number of attempts to enter a password.
Transmission Protection
Almost all large servers have the ability to establish secure connections using ssl / tls encryption, which eliminates the possibility of interception of passwords and correspondence. Encryption is also easy to configure on your own server.
In ICQ some time ago it was also possible to enable secure data transfer, but after the purchase of this service by the Mail.Ru Group holding, this function stopped working. This is due to the fact that AOL has not sold the implementation of this feature.
Some client programs allow using a special plug-in to additionally encrypt the transmitted information using GPG and OTR. At the same time, it is necessary that such a plugin be installed on both users.
Jabber as a means of communication in a corporate environment
When using Jabber in an enterprise environment, various types of services with unrestricted access from outside (jabber-conferences, transports, vcard-vjud search service) are basically a potential threat.
Jabber conferences are definitely a very convenient means of communication. However, quite often, administrators of corporate xmpp servers forget to close access to conferences on s2s (that is, for users of other servers) and important corporate information may be in the public domain. Also, attackers can organize a flood-attack conferences on an unprotected service, which can later lead to a denial of service for the xmpp server as a whole.
Transports that are open to users of all servers can help attackers to hide their real IP (for example, if a third-party user registers on an IRC transport, he will go into the IRC chat with an IP that the enterprise Jabber server has). In the case of other transports (ICQ, MRA, etc.), third-party users can create an extra load, thereby reducing the fault tolerance of the service.
The most dangerous are open search services for public access to data from a business card (vjud). Very often, a jabber server takes data for vcard from internal sources (when using LDAP, for example) and as a result, private information about an employee (personal and business e-mail, phone numbers, department name and even home address) may appear in the vcard. Attackers can organize an automated search through vjud by popular names and surnames, thereby obtaining data intended for official use).
Administrators of corporate jabber-servers need to closely monitor the modules run and disable or close access to unused services.
Administrators of both corporate and private servers need to be more attentive to the policy of registering new users. In the case of a corporate server, open registration must be banned altogether, since the employee's account must be acquired by the administrator at the time of accepting him to work along with other internal accounts. In the case of a private server, it is advisable either to limit the registration of new accounts (for example, using captcha), or to disable this feature.
Summary
Despite the growing popularity of the Jabber protocol, threats are still non-commercial in nature. However, in the near future it is possible to activate commercial spam mailings, as well as messages containing malicious links. However, due to its extensibility, the protocol allows effectively countering such threats and minimizing the likelihood of undesirable content being received by end users.
Jabber as a corporate communication tool is safe and reliable, but server administrators should carefully monitor the level of access to services.
Source: https://habr.com/ru/post/118025/
All Articles