To main page

Security notes

You have to enable TLS/SSL if you use any type of clear net connection with our server. Otherwise, the connection will not be established, because we disabled non-encrypted communications. However, since TLS/SSL potentially may harm the anonymity of the clients, and connections inside the Tor network are already encrypted and authenticated, we recommend you to disable TLS/SSL for the Tor hidden service connection (though you can use it).

We use those cipher suits for TLS connection that provide the best security with PFS. You can see parameters supported by our server on this test link.

Some XMPP clients allow you to make so-called certificate pinning when TLS/SSL is used. It is manual specification of a correct fingerprint for TLS/SSL certificate of the XMPP server. We signed this fingerprint with the help of our PGP key. The certificate pinning is a good countermeasure against attacks on PKI. Therefore, we suggest you to use this option for TLS/SSL connection (verify the fingerprint using our PGP signature first!) if it is possible.

All three addresses of our server ( and two onion mirrors) are added as uids to our PGP key. Given the domain name or onion address is changed, the corresponding uid will be revoked and uid with new address will be added. Notice that our PGP key is the only way that gives you authentic information about addresses and certificates of our XMPP server.

XMPP was designed long time ago without anonymity kept in mind. Depending on the capabilities of your XMPP client it may leak some sensitive information about your software configuration such as a time on your machine, your timezone, your geolocation (XEP-0080), a version of your operating system and a version of your XMPP client. Some XMPP clients can also download a content (such as pictures or files) automatically, which may be used by attacker to reveal your IP address. Thus, if anonymity matters for you, it is always better to run XMPP client inside some virtual operating system (on virtual machine), which doesn't share its software configuration with your main operating system.

To main page