encrypt passwords and offline messages

Hi,
the passwords and offline messages are stored in plaintext, the admin can see all offline messages and user lists.
How can i encrypt this informations, what have i forgot?

I read
http://www.ejabberd.im/plaintext-passwords-db
but thats sounds more than an excuse than a solution.

greetings

kero

Why is it a problem?

kero wrote:

Hi,
the passwords and offline messages are stored in plaintext, the admin can see all offline messages and user lists.

The admin can also see the roster items, and the nicknames. And the vcard. And edit the vcard. And edit the roster items. And delete offline messages. And change the password of any user. The administrator can do a lot of things, right? For that reason you only give administrative privileges to trusted people.

kero wrote:

How can i encrypt this informations, what have i forgot?

You forgot that the administrator of a machine has control over what is executed. Hence, an admin can install a modified version of the software. So the admin can read the messages that pass over the machine. It doesn't care if a software hides stuff to the admin or not: if the software can see the messages anytime, then also the admin can (modifying the source code and binaries).

If you don't trust your admins, then you have troubles. If your users don't trust your server/admins, then they can use another server, or use encryption point-to-point (for example PGP/GPG), so the server machine (and its admins) can't read the content of the messages anytime.

kero wrote:

I read
http://www.ejabberd.im/plaintext-passwords-db
but thats sounds more than an excuse than a solution.

The solution to what? You didn't explain in your message any problem. You just noted a fact: passwords and offline messages are stored in plain text, so an admin could read them. Maybe if you elaborate on why this is a problem...

So it sounds as an excuse to you. You may want to check the opinion of developers and administrators of other Jabber servers. You may also want to ask yet one more time in the JADMIN mailing list in www.jabber.org.

Once you check the opinion of other sources, please add a comment here with what they told you. If you ask in public mailing lists, forums or chatrooms, please also provide links so I can add them to the page. And if you found a Jabber server that encrypts passwords and offline messages so the admins can't read them, please tell here which one is it.

Why can the ejabberd admin see the offline messages?

So why can the ejabberd admin see the offline messages?
I dont get it. In my opinion it makes no sense at all.
Is there a simple way to disable this "feature" in the webinterface? Im not firm with Erlang.
He cant see the passwords thats fine.

Example usage; why an option seems useless

kero wrote:

So why can the ejabberd admin see the offline messages?
I dont get it. In my opinion it makes no sense at all.

To administer the server, and the users. I'll tell you two examples:

One example: when a user forgets his password, the only way to recover his account is to ask an admin to set a new password manually. To verify that a person is really the owner of a Jabber account, I make him several questions. If he answers correctly (or mostly) to all of them, and my intuition says all is correct, only then I change the password:

  • When was the last time you logged in successfully?
  • How many characters does your password have, approximately?
  • How many contacts do you have in your roster?
  • I now check his roster, and make some questions regarding some contacts: nicknames, groups, etc.
  • Then I check his offline messages. If there are several, I ask the person: it seems some people tried to contact you, who do you think they are? And other questions regarding the message timestamp, text content...

Fortunately, in the last four years as admin of a small public free server (400 concurrent users) I only needed to change 15 passwords or so.

Other example: when a user has too many offline messages, maybe it's being used by a bot, or a bot is spamming him. The only way to know for sure is to read the messages. For example in the Jabber server hosted by jabber.org, I think they detected some bots and unlegitimate usages of the server for private purposes (running bots for commercial purposes), and they needed to read the offline messages among many other things to detect them. Note that jabber.org uses PostgreSQL storage.

When a person decides to host a server to provide a service, he probably wants to provide the best service. The server must provide the admin as much tools and information as possible, to help the admin to do his work: fine tuning the machine, detect fraudulent usage, and help users that have problems.

A Jabber server is expected to provide the users with features to better use the server, and provide the admins features to better administer the server. The ability to read offline messages is among many other useful features to administer a Jabber server. Am I right or not?

I'm still awaiting an explanation of why this is a problem.

kero wrote:

Is there a simple way to disable this "feature" in the webinterface? Im not firm with Erlang.

There isn't such an option. If there were, we wouldn't be here discussing :) You can submit a feature request in the bug tracker: 'Implement an option to not show the content of offline messages to admins'. Probably it shouldn't be that hard to implement. But think about this: if such an option can be disabled by the admin, what's the purpose of the option?

Anyway, remember: offline messages are stored in plain text. The admin can dump the database to a text file in /tmp, then open the file and read the content.

This leads to a good point in your case: maybe an admin of ejabberd is not admin of the machine. For such an admin, the only way to control ejabberd is WebAdmin and Ad-hoc commands. In this case, hiding offline messages in the WebAdmin is a sure way to ensure that admin can't read offline messages. Is that your case?

I would also like to know which Jabber servers store passwords and offline messages encrypted instead of in plain text. Did you already ask them? jabberd14, jabberd2, openfire, tigase, jabber xcp, soapbox... Do you have links to the answer in their forum/mailing list?

Openfire has it

I've only tried Openfire, but they have support for encrypted passwords which you can enable at will. Personally I have a hard time seeing the point, and would prefer them hashed, but if that's what you're looking for ...

http://www.igniterealtime.org/issues/browse/JM-291

There is simply no secure

There is simply no secure way to hide messages from admin without encrypting messages on the client side on both side. You can do that with ejabberd and client supporting GPG or PGP.
Otherwise, it is pointless to ask the server to store the messages encrypted and unencrypt them before sending them to the client. If the server can unencrypt them, so does the admin.
So, I do not understand what is your problem with that.

--
Mickaël Rémond
Process-one

TLS/PLAIN SASL + DB hashing

I think it's important to consider that the reason hashing is used should not be to protect you from administrators (whose service you shouldn't use if you can't place your trust in them), but to moderate damage in the case of your database getting stolen.

Personally, I would prefer to force use of TLS in my implementation, use plain text SASL and store passwords hashed as SHA-256 in the database. I'm yet to read up on if this is possible with ejabberd, but seeing this discussion I simply wanted to voice my opinion. If it isn't a feature of ejabberd to use this sort of authentication, I think it should most certainly be considered a configurable alternative to the default method.

Although TLS is considered somewhat more prone to MITM attacks than the SASL approach used by default, a successful attack of that kind does not compromise the passwords of the entire userbase. Let's not forget that when properly implemented on the server and client side, a MITM attack on TLS can (as far as I can see) only be considered the fault of the unwary user.

You can have openfire as a

You can have openfire as a option , it is possible to have message encryption for offline and also in archive tables too ,you just need to do bit of modification in your code .

Syndicate content