23 Jul

Requiring Encryption on XMPP Services

UPDATE (May 19th, 2017)

On Thursday May 18th, 2017 we shut down our dukgo.com XMPP service. Thanks for your continued support over the previous years.

For alternative XMPP servers check out www.cryptoparty.in/connect/contact/jabber and gultsch.de/compliance_ranked.html

The DuckDuckGo Team

Thursday morning at 6:30 AM EDT we will be upgrading our Prosody (XMPP) server to require encryption for all server-to-server connections. This means that users of the dukgo.com XMPP service will only be able to chat with contacts on servers which support encryption. Unfortunately, we will no longer be able to support connections to unencrypted services (Google Talk is the most popular of these). We feel that this is a necessary trade-off in order to provide a secure communication platform for our users.

There will be an XMPP broadcast message sent to all users prior to the upgrade. We expect the service to be available again within 30 minutes. The Community Platform will also be unavailable during this maintenance window.

14 Tweet

This blog has been archived

Thank you for reading and contributing lively discussion to our blog! Read more posts about online privacy on our new blog at spreadprivacy.com.

I'm a bit late in the discussion, but I wanted to ask a question for more XMPP savvy:
does it mean that if I speak with gmail users the messages travel in plaintext between my server and google servers?

posted by <hidden> • 3 years and 11 months ago Link

hey, nice to know, but we are still at SHA-1!

posted by <hidden> • 4 years and 5 months ago Link

This is a really good move by DDG Admins.

posted by Jlg community_leader • 4 years and 5 months ago Link

Thank you :)

posted by zac Staff • 4 years and 5 months ago Link

I signed on after the broadcast and update were complete and thought google had finally pulled the plug on xmpp federation. Then I found this.

For what it's worth, I did get a few friends to sign up for dukgo xmpp, partially because of google's new abomination, "hangouts", and partially because of the privacy and anonymity offered by dukgo.com.

I doubt that google will want to enable server-to-server xmpp encryption, as they're trying to phase out xmpp altogether. I've sent feedback to them about deficiencies in hangouts, but I think this is perhaps a "Windows Metro" moment for them, where they will do it regardless of what we say.

Even without this recent change, I already lost most of the people on my google list to hangouts. For those who don't know, anyone using hangouts will appear online, but they will silently drop any xmpp message you send them. They also can't message non-google users from hangouts. All android users are being pushed to upgrade to hangouts. It comes in with the normal android updates, and it's nearly impossible to reject it.

gmail has the option of using the original chat, and that will work with non-google xmpp, but I've got only 1-2 people on my dukgo list that still use the original chat.

So, goodbye to google xmpp federation. It was already 95% gone for me by now, so this security update doesn't really bother me. Thanks for making dukgo xmpp more secure :)

My current setup (all using psi+):
dukgo.com xmpp - for the people I chat with most
gmail.com xmpp - I can chat with my google hangouts friends from here
chat.facebook.com xmpp - to talk with family members who won't get a real instant messenger

Now I go through and remove the google contacts from my dukgo.com account. Federation was nice while it lasted.

posted by <hidden> • 4 years and 5 months ago Link

Nice thing.
Next step : close the XMPP service for lack of users ?
Using the DukGo XMPP service to chat with Gmail contacts without using my own Gmail XMPP address...

Thanks for telling me "Good bye boy" :/

posted by ParigotManchot • 4 years and 5 months ago Link

I, too, used it to speak to a few friends and I'm bummed that it's gone so suddenly... however, their decision makes sense: This is a community and platform that values security. It's not DDG's fault that Google isn't properly encrypting their services. Put some pressure on Google and then perhaps we could get it back.

posted by <hidden> • 4 years and 5 months ago Link

Is it 6:30 AM or 6:30 PM? ;)

Quick tip: If you want to convert the above time to your local time you can just search for " 6:30 PM EDT in my time " on DDG (assuming it's 6:30 PM).

posted by ScreapDK community_leader • 4 years and 5 months ago Link

6:30 AM.

I work on a 24 hour clock, sorry for the ambiguity.

posted by jbarrett Staff • 4 years and 5 months ago Link

24 Earth hours?

posted by zac Staff • 4 years and 5 months ago Link

Yup! ; D It's the standard for digital clocks in Danish, and I'm lots of other places, too. : )

24 hour clock

posted by ScreapDK community_leader • 4 years and 5 months ago Link

My clock is so close to Earth hours that it's not worth distinguishing them.

posted by jbarrett Staff • 4 years and 5 months ago Link