Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Personal XMPP server to skirt the NSA?
1 point by nsxwolf on Aug 2, 2013 | hide | past | favorite | 7 comments
I'm interested in running a secure, end to end encrypted chat service that I can host on my own network and allow friends and family to connect to from various clients and smartphones.

Is this feasible? I did some googling and am a bit bewildered. Can anyone point me in the right direction?



If you are looking to host your own server and are not too tied to XMPP, you can use Kamailio as a SIP + XCAP chat VoIP/Video and IM server with TLS encryption and Use Jitsi as a softphone/chat client. Here's a tutorial to get you started http://kb.asipto.com/kamailio:skype-like-service-in-less-tha...

You can always try to implement the same with freeswitch or if XMPP is a must you can use something like OpenFire (http://www.igniterealtime.org/projects/openfire/)


Prosody (http://prosody.im/) is very efficient, especially with epoll. StartSSL (http://www.startssl.com/) issues free server certificates for encryption. Put them on a VM in the cloud for $5-10 per month, and you have your own secure instant messenger system that supports text, voice, and even video (with the right clients).


Thank you! That looks really good. Now, what if I'm paranoid by a CA being compromised? Are there any pitfalls to me acting as my own CA and issuing my own certificate - provided the people I'm planning on talking to trust me?


Self signed certs, along with the handholding required to get your intended users to install them on their devices (probably not too big a deal for a tech crowd - perhaps not something I'd jump at for a "family and friends" targeted system).

At that level of paranoia – I'd question the appropriateness of relying on a "cloud VM". If you're worried about compromised CAs, perhaps a RaspberryPi (or similar inexpensive device) on your home net connection - with a write-locked SD card to boot from and a usb drive mounted with no-exec - and firewalled up the wazoo. Who knows how many guys have Snowden-like access to the VM hypervisor at n-random cloud hosting provider? Inside your "server", all the cleartext and metadata is readily available to root, and to root on the hypervisor as well.


Now I'm wondering if I can accomplish what I want with iChat Server on OS X Server. I have an old mini laying around.


For appropriate levels of paranoia and/or "I'm doing this right just because", I'd hesitate a little about choosing OS X or Windows as an OS. Once you've allowed them to connect to the internet, they both do a surprising amount of "phoning home", and who knows what "the mothership" is capable of being coerced into making them do.

I'd lean much more strongly towards Linux or even one of the various BSDs if I were doing this. I'm not about to audit all of the Linux/OpenBSD code myself – but I'd feel somewhat more comfortable with them knowing the code is at least available for me to review and that there's a much smaller chance of the NSA or FBI being able to "lean on" enough people to be able to keep backdoors undisclosed.

(Having said that, if you've got a "spare" Mac and are comfortable with OS X, you'd almost certainly be able to set up a system that's "secure enough against ubiquitous recording-of-all-traffic" surveillance, and if the NSA chooses to target you specifically, you've probably got to admit your privacy battle is lost from the start…)


Helping friends and family install your self-signed root certificate can be less than fun, especially if they have lesser computer skills and a variety of browsers (and mobile operating systems).

My gut says that StartSSL is about as anti-NSA as they can be, but you never know ...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: