Good Open Source, Multi-Platform, Secure IM Client?

Phil O. writes "I work for a company with 30+ locations across North America. Some offices have hundreds of employees; some only a dozen. We're looking for a secure, multi-platform IM client we could implement across the organization. One group is pushing for Microsoft's solution, but it has a number of drawbacks (including cost). What other options are out there, and what has worked well in similar situations? Security is a big concern for the company."

Anonymous Coward

[by Anonymous Coward]

Jabber server, pidgin clients, and http://pidgin-encrypt.sourceforge.net/ for security. Really it's a shame this even made it to slashdot. Can't anyone google anymore?

Re:Anonymous Coward

[Chris Acheson (263308)]

OTR is more secure that pidgin-encryption, and works with other IM clients as well.

Portable

[Forty Two Tenfold (1134125)]

Plus, pidgin is portable.
http://portableapps.com/apps/internet/pidgin_portable [portableapps.com]

Re:

[fxkr (1343139)]

You might want to check their homepage [cypherpunks.ca] and the Wikipedia [wikipedia.org] article.

OTR works very well for me. I recommend Pidgin as a client and Jabber as a protocol.

Re:Anonymous Coward

[2starr (202647)]

No kidding. I'm looking for a good open-source web browser. Anyone know of one?

Re:Anonymous Coward

[Fred Ferrigno (122319)]

Anyone know a news site for nerds, something with stuff that matters?

Re:Anonymous Coward

[Kent Recal (714863)]

Maybe try digg [digg.com]?

Pidgin + OTR

[314m678 (779815)]

Pidgin + OTR pluggin

http://www.pidgin.im/ [pidgin.im]

http://en.wikipedia.org/wiki/Pidgin [wikipedia.org]

http://www.cypherpunks.ca/otr/ [cypherpunks.ca]

Re:

[TheLink (130905)]

Pidgin for windows is pretty crappy though

It hangs quite often (more if you don't use the tab mode, and if you use tab mode, if some spammer spams you, you can't tell from the taskbar who sent you the message - it could look like someone else is sending you a message).

It often doesn't succeed in sending messages to people on MSN - 5 minutes after I send, it'll tell me it failed. 5 minutes!

You can't easily filter out "spim", even if you use stuff like bot sentry you still get bugged about it- which completel

Re:Pidgin + OTR

[JCSoRocks (1142053)]

The MSN bug is the only one I've run into. Other than that I've always thought Pidgin was great. I've been forced to switch over to Windows Live Messenger and I really don't like it after using Pidgin. The Outlook integration doesn't make up for the clunkier UI and the inability to connect to other networks.

Re:Pidgin + OTR

[Bert64 (520050)]

Most likely the MSN bug in pidgin is due to having to reverse engineer the protocol every time it gets changed...

Re:Pidgin + OTR

[srussell (39342)]

Note that the OTR plugin is available for several IM clients, including KDE's Kopete, Miranda, mICQ, and several others.

I'm still waiting for it to show up for the Android chat client, but it is still early days...

--- SER

jabber

[muckdog (607284)]

I'm betting www.jabber.org will be echoed over and over in the responses. Considering Google uses it to power Gtalk I say its scalable.

Re:jabber

[rlp (11898)]

I agree - not too hard to set up your own jabber server with an SSL connection. If you REALLY want to be secure, you won't rely on someone elses server.

Re:jabber

[Macrat (638047)]

Here's a jabber server with ssl ready to go.

http://wikis.sun.com/display/CommSuite/Sun+Java+Communications+Suite+Information [sun.com]

Re:jabber

[Britz (170620)]

If the clients use end-to-end encryption and share the password through a secure different channel (e.g. encrypted email) does it really matter if the server is your own?

Multi-platform

[jkinney3 (535278)]

Microsofts solution is NOT multiplatform. Anything that runs jabber protocol has a multiplatform client.

Re:Multi-platform

[Haeleth (414428)]

Microsofts solution is NOT multiplatform.

What do you mean? It runs on both kinds of computer, XP and Vista.

Openfire + Spark

[mackil (668039)]

We use the Openfire server (www.igniterealtime.org) with the Spark client over several offices in different states and over 3 different platforms. SSL is available as well (which we use).

So far no problems beyond user error. I'd recommend it.

Re:

[ErnieD (19277)]

I'll second that, we use Openfire within our IT department (spanning 3 locations plus accessible via VPN). Spark is the primary client we give to our people but they're also free to use any other Jabber client they want like Pidgin, Miranda, Exodus, etc. We have SSL enabled and message auditing & archiving turned on which is also important for businesses in certain markets. We have it authenticating off our Active Directory via LDAP lookup. There's also a Flash-based web client which simply is a SWF tha

Re:

[SuperQ (431)]

I use openfire for my personal jabber server, it's been reliable, and keeps getting good updates.

I haven't used the spark client, and I haven't had good luck with the web client. That's probably the biggest thing I wish I could find was a good web client like gmail chat.

Jabber?

[nine-times (778537)]

I've never actually implemented Jabber before, but it seems like the obvious answer. You should be able to set up your own server without paying any software costs, and use GAIM/Adium. I think encryption is supported, but it's slightly less of a concern if the traffic never leaves your own network.

Actually, depending on your requirements, you may not want clients to encrypt traffic, so that you can log and archive it.

Any XMPP Client

[infinityxi (266865)]

I would go about your problem by first separating the client from the actual protocol. If you are worried about cross platform I would of course go with an XMPP solution. You can do the following:

- Run an OpenFire server Here [igniterealtime.org]
- Pick from a slew of XMPP clients but I would problem pick the Spark IM Client (Same people as the OpenFire software)

This way you don't have to worry about Client A working with Protocol B across Windows/Linux/Mac.

Using XMPP is also an easy way to control your IM facilities as you can create an organizational system for creating names such as using email addresses as screen names and not have to worry about Bob from Accounting using PiMpMaSta23.

I would evaluate OpenFire and the Spark IM client and see if it fits. The server is very easy to set up and administer. You can also use Pidgin or Psi as XMPP clients although I think Spark is the most professional looking of the three.

You'll need a server, too

[Yosho (135835)]

Everybody is saying "Pidgin", but a client won't do you any good without a server to connect to, and if you really care about being secure, you shouldn't trust any third-party server that is publicly accessible.

You should probably set up your own Jabber server; I recommend Openfire [igniterealtime.org], which is open source, easy to install, and pretty powerful. It is possible to mandate that all clients must use encryption to connect, which will do a pretty good job of keeping things secure, and you can use any XMPP client that supports encryption. If you don't want even the server to be able to read your messages, as others have suggested, installing an OTR plugin for your client is the way to go.

Pidgin performs beautifully cross-platform

[Arrogant-Bastard (141720)]

Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services. It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.

Why IM?

[Hatta (162192)]

Why not IRC?

Re:

[Khyber (864651)]

I have yet to see a reliable working UnrealIRCd server hack.

As long as they didn't use mIRC and kept their IRC network completely internal (kinda tough to do without some VPN connecting to the other 30+ locations plus password entry into channel (or an allow list) they shouldn't have too much of an issue.

And of course IRC does have SSL connection capability.

Check out SupraBrowser

[by Anonymous Coward]

SupraBrowser [sourceforge.net]

It's a secure, threaded IM client (all socket communication 3DES encrypted with a zero-knowledge proof SRPP [stanford.edu]), written in Java, that runs on Linux, Mac, and Windows. It was developed for the hedge fund industry in Boston. I developed it initially, but it's mainly being maintained, not developed further because we don't receive any new feature requests.

Don't let the extensive features fool you. It's primarily a secure, threaded IM system. The other features were added (email gateway, auto-forwarding to email, embedded web browser with sophisticated tagging engine) based on its being used *very* heavily every day and requests coming from highly advanced users of the system.

There is also a Firefox plugin that integrates with it, as well as a pure ajax client written in the Eclipse Rich Ajax Platform.

Feel free to contact me personally for any details or help setting it up. The release on sourceforge assumes fairly good technical abilities (building it from ant, getting xulrunner to work with javaxpcom) and is not a general packaged release. However, it is running many places in production.

suprasphere@gmail.com

David Thomson

XMPP with TLS and (optionally) GPG/PGP

[Enleth (947766)]

You can setup the thing completely in-house (you don't have to trust a contractor), or you can opt for a canned solution (for example Jabber, Inc., http://www.jabber.com/ [jabber.com], they do provide everything for big and small companies, and are backed by Cisco). It uses SSL/TLS for secure connections both between clients and servers (C2S) and between separate servers (S2S), with full support for certificate authenticity checking, and even PGP/GPG encryption between the users, should they need to exchange really confifental data that even a rogue company server admin shouldn't be able to intercept (message encryption, pretty rare among proprietary protocols, but happens), or be sure that joe.the.boss@company.com is really Joe, their Boss, and not someone who just happend to "borrow" their laptop at the airport (signed presence, something, AFAIK, no other protocol provides). There are XMPP servers and clients for almost every platform possible, open-source or commercial, the protocol is open and approved by IETF for IM-style communication.

I won't give you any specific names, but I believe it wouldn't be very difficult to find a few *very* big companies using XMPP to prove to your boss that it's being used like this by big players in the industry.

And, frankly, that's the only open solution to your problem.

Zimbra

[sfbiker (1118091)]

Check out Zimbra [zimbra.com]

It can replace your Exchange server for email, has an XMLPP IM server built-in, and is much more cost effective and easier to administer than Exchange.

OpenFire Jabber server

[Nicodemus (19510)]

I would recommend the open source OpenFire [igniterealtime.org] server. Install it on your own server, then set the preferences to force SSL connections. Then communicates passed between clients on any platform are SSL encrypted. Turn off local client logging for better security. Beyond that, it's all client-side stuff that doesn't port as well.

Nicodemus

Spark/Openfire?

[chiger_bite (801427)]

I have been a fan of the Spark Client and Openfire Server [igniterealtime.org] as an IM platform for quite sometime. They are built on the XMPP and Jabber protocols. After being in a corporate environment before, I know it's hard to convince management to go with an OSS solution as they seem to think that if it doesn't have a price tag, it's not secure. The Spark/Openfire platform come in an 'Enterprise' flavor with support to appease management as well. Both the client and server are built on a plug-in style architecture, so it's pretty easy to include your own software add-ins. There are really too many features for me to really go into though.

CenterIM is the way

[pngwen (72492)]

I use CenterIM, formerly called CenterICQ.

It's ncurses based, so it runs in any real computation environment. It supports Yahoo, ICQ, AIM, MSN, Jabber, IRC, Google Talk, Live Journal, RSS feeds and more!

It's a wonderful client, tiny footprint, and it runs where programs belong, on the command line!

Re:skype

[Zsub (1365549)]

Skype? Since when is Skype secure man?! Have you read Slashdot [slashdot.org]?

Re:skype

[morgan_greywolf (835522)]

Read? Who reads anything on here? I only post.

Re:

[GodWasAnAlien (206300)]

"More Skype security Speculation."

Do you have any evidence that the Skype protocol is secure?

Note, Obscure != Secure.

Re:skype

[MrNaz (730548)]

Holy crap! You're a genius!

Tomorrow I'm going to go to the office and disguise the server rack as a refrigerator. Then my data will truly be safe, because even if a hacker does get in, he'll never believe there's any valuable data in a cheese sandwich.

Re:skype

[The Moof (859402)]

next time try to read more than just the title

But my "Slashdot User's Handbook" says I'm not supposed to!

Anyway, I was wondering if there was any papers or anything to follow up that post. Something that would move it from speculation to truth. There's some papers in the comments linking to notes about obfuscating against reverse engineering. The last sentence just said the Austrians claim they can easily listen into the conversations.

Re:skype

[s4m7 (519684)]

But my "Slashdot User's Handbook" says I'm not supposed to!

Ha! Nobody's read the handbook!

Re:Sametime

[enharmonix (988983)]

We use sametime at my office and it's just like any other IM client I've used. Two points of note - it offers encrypted chats, and the collaboration tools (screensharing, etc.) work better than Microsoft's Messenger products. I don't doubt, however, that OSS can compete with this - I'd only go ST if you're already using Lotus Notes.

Re:Sametime

[Fackamato (913248)]

We use sametime at my company, and it's piece of shit. When it works, it works. Often when someone types something in a chat and I click the minimized sametime window to reply, try to write something in the message box, and sametime freezes. Lots of hdd access of no apparent reason. We experience the same on all our machines (2GB RAM). Don't get me started on Notes 8...

Re:

[by Anonymous Coward]

I work for IBM. Sametime works okay, but there are tons of problems with it. Just one, for instance, is that you can "smilie bomb" someone with their default java client. Basically you just up the java max heap size, and then send them 256M of smilies so it fills up their heap and crashes java. Fun stuff. I use Pidgin to connect to sametime using the meanwhile plugin myself.

It shouldn't.

[Junta (36770)]

No software should have that problem. If it can't handle it, it should reject/drop the message, not crash (preferably with a substitute message saying message was dropped because sender.

Not confirming the Sametime behavior described, just speaking from experience of many many instances of developers feeding me BS about how they shouldn't have to tolerate some condition or another as it is artificial and stupid, not acknowledging a DoS as a serious problem.

Re:Sametime

[Exstatica (769958)]

no way, http://www.igniterealtime.org/ [igniterealtime.org].
Openfire is amazing and with thier Sparks client it gets even better.
Includes SSL, open API, different database backend, including LDAP. I've been running it for my office on a linux box connecting to a windows AD authentication. Best part about it is you can manage everyones contact lists. So no more invite this person add this person.
Openfire (formerly Wildfire) is a real time collaboration (RTC) server dual-licensed under the Open Source GPL and commercially. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance

BTW i'm not affiliated with them, i just have used thier projects for years. Go opensource!

Re:Sametime

[bigstrat2003 (1058574)]

Are you kidding? The Spark client is the biggest piece of shit I've ever used. Random freezing (the UI will just freeze for up to a minute on my work PC), stops remembering what group you put buddies into... it blows ass.

Re:

[Exstatica (769958)]

I used to have that issue to, But i updated my java recently and the issue has cleared up.

Re:

[a_nonamiss (743253)]

I administer two Openfire servers at different locations in my company. One runs on a Windows server, the other on a Linux server. One has a mysql backend, the other runs on MS SQL. Both integrate seamlessly with Active Directory, and provide SSL encrypted communications between each other and the clients. Honestly, despite the vastly differing setups between the two sites, it's amazing how easy it was to get them to work with each other. I have to admit that Spark needs quite a bit of work, but there are a

Sametime is slightly open source

[TimTucker (982832)]

Although Sametime itself isn't open source, the newer versions are based on Eclipse (as are the more recent versions of Notes). Whether or not the overhead of running an instance of Eclipse to handle IM is a good idea or not is up to you.

Re:There is only one true IM client

[eln (21727)]

talk requires a terminal that can handle curses (vt100 or similar). This creates a barrier that's simply too cumbersome. I would suggest using write instead.

If encryption is needed, I would suggest rot13. For double encryption, rot26 can be used. Or, you could do what they did in WWII and "encrypt" by using an obscure language that few outsiders are likely to be able to decode. Since getting your coworkers to learn Navajo is probably out of reach, I suggest Pig Latin.

Really, I think the submitter is making this harder than it needs to be.

Re:

[Liam (39474)]

Kerberos [mit.edu] will authenticate without storing or sending passwords. It works for email, remote login (ssh, telnet, rlogin), file service (AFS, ftp) and web as well. Pidgin supports Kerberos, though you wouldn't know it to look at the documentation; it took me a while to realize I needed to load the Debian package libsasl2-modules-gssapi-mit [debian.org].