Hello, I am researching open source IM servers for our small company. This is one of our options, and I have a pretty good feel for what it can acomplish, but I have a specific question.
Reading this discussion:
http://www.ejabberd.im/node/3578
There is mention of users encrypting their chat sessions. My company is concerned because of past issues of possible employee abuse, and mis-conduct using an IM tool. I am required to find a solution where all messages are logged and can be searched for inappropriate content. If we have to choose a paid solution instead of open source it is possible, but we'd like to stay open.
Can someone break it down in a simple way if logging, reading, and searching messages can be mandatory? Is it possible to not allow users to encrypt their conversations?
This server will be for internal use only, <100 employees total.
Thank you.
Consult_DWI wrote: There is
There is mention of users encrypting their chat sessions. My company is concerned because of past issues of possible employee abuse, and mis-conduct using an IM tool.
Remember this about the bad people that send spam or annoying messages to good people: they don't use encryption.
Encryption of XMPP chat using PGP/GPG/... between two users, this is the same that with email: both users must have encryption support in their clients, create their public and private keys, and install the public key of the other user.
As you can see, this type of encryption is only useful if two users agree to chat secretly between them while using your company server. Why would two users "risk" to chat secretly in the company server? It is easier for them to create accounts in other XMPP server, or chat secretly using their private emails, or by their private telephones, or meeting in the company entrance.
And I mean it's a risk for them, not because the encryption could be broken and the messages read clearly (fortunately for the basic human rights, encryption can't be broken). It's a risk for them because, once two users alone send some messages encrypted, you will notice they are encrypting their messages in the company server during working hours: they become suspicious, and then you know where to start looking for possible trouble-makers.
Of course, the server usage policy can also state: "Only clear-text messaging is allowed in this server. If you don't know what this is, then don't worry". And then tell those two users to please stop encrypting. If they continue doing so, then close their accounts, and they will start using email or telephone to chat secretly.
I am required to find a solution where all messages are logged and can be searched for inappropriate content.
Can someone break it down in a simple way if logging, reading, and searching messages can be mandatory?
You can log all messages, even those encrypted, regardless if the users want or not that to happen. If you see encrypted messages in the log files, then you know who sent them, to who, and when. The only you won't know is their actual content.
Is it possible to not allow users to encrypt their conversations?
No.
This server will be for internal use only, <100 employees total.
Remember to inform the users of the server that their conversations may be logged.
If we have to choose a paid solution instead of open source it is possible, but we'd like to stay open.
You have a misunderstanding. You can pay to experts in an open source program to obtain assistance in installing and configuring, or to develop improvements or customizations. Then you decide if you keep for yourself all those improvements that were developed for you, or if you allow to publish them in the public program.
Thank you for the quick reply
Thank you for the quick reply sir, you answered my question basically. I will clarify about paid services, I was talking about things like Akeni, Sonork, Jive, and so on.
Thank you again though, if I should have any other questions I will post here.