Forgot your password?
typodupeerror
Communications

Good Open Source, Multi-Platform, Secure IM Client? 308

Posted by Soulskill
from the real-time-tps-report-updates dept.
Phil O. writes "I work for a company with 30+ locations across North America. Some offices have hundreds of employees; some only a dozen. We're looking for a secure, multi-platform IM client we could implement across the organization. One group is pushing for Microsoft's solution, but it has a number of drawbacks (including cost). What other options are out there, and what has worked well in similar situations? Security is a big concern for the company."
This discussion has been archived. No new comments can be posted.

Good Open Source, Multi-Platform, Secure IM Client?

Comments Filter:
  • Sametime (Score:2, Insightful)

    by Anonymous Coward

    IBM's Lotus Sametime is very good I think. No idea how much it costs though, probably not cheap and it isn't open source.

    • Re:Sametime (Score:5, Informative)

      by enharmonix (988983) <enharmonix+slashdot@gmail.com> on Friday October 31, 2008 @04:27PM (#25588747)
      We use sametime at my office and it's just like any other IM client I've used. Two points of note - it offers encrypted chats, and the collaboration tools (screensharing, etc.) work better than Microsoft's Messenger products. I don't doubt, however, that OSS can compete with this - I'd only go ST if you're already using Lotus Notes.
      • Re:Sametime (Score:4, Informative)

        by Fackamato (913248) on Friday October 31, 2008 @04:33PM (#25588823)
        We use sametime at my company, and it's piece of shit. When it works, it works. Often when someone types something in a chat and I click the minimized sametime window to reply, try to write something in the message box, and sametime freezes. Lots of hdd access of no apparent reason. We experience the same on all our machines (2GB RAM). Don't get me started on Notes 8...
        • Re: (Score:3, Informative)

          by Anonymous Coward
          I work for IBM. Sametime works okay, but there are tons of problems with it. Just one, for instance, is that you can "smilie bomb" someone with their default java client. Basically you just up the java max heap size, and then send them 256M of smilies so it fills up their heap and crashes java. Fun stuff. I use Pidgin to connect to sametime using the meanwhile plugin myself.
    • Re:Sametime (Score:5, Informative)

      by Exstatica (769958) * on Friday October 31, 2008 @05:35PM (#25589467) Homepage
      no way, http://www.igniterealtime.org/ [igniterealtime.org].
      Openfire is amazing and with thier Sparks client it gets even better.
      Includes SSL, open API, different database backend, including LDAP. I've been running it for my office on a linux box connecting to a windows AD authentication. Best part about it is you can manage everyones contact lists. So no more invite this person add this person.
      Openfire (formerly Wildfire) is a real time collaboration (RTC) server dual-licensed under the Open Source GPL and commercially. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance

      BTW i'm not affiliated with them, i just have used thier projects for years. Go opensource!
      • Re:Sametime (Score:5, Informative)

        by bigstrat2003 (1058574) * on Friday October 31, 2008 @05:45PM (#25589575)
        Are you kidding? The Spark client is the biggest piece of shit I've ever used. Random freezing (the UI will just freeze for up to a minute on my work PC), stops remembering what group you put buddies into... it blows ass.
        • Re: (Score:3, Informative)

          by Exstatica (769958) *
          I used to have that issue to, But i updated my java recently and the issue has cleared up.
        • by devjj (956776) *
          I'm with you on this one. Spark absolutely blows. You'd never know Openfire is as great as it is judging from the client designed for it.
    • Although Sametime itself isn't open source, the newer versions are based on Eclipse (as are the more recent versions of Notes). Whether or not the overhead of running an instance of Eclipse to handle IM is a good idea or not is up to you.
  • Anonymous Coward (Score:5, Informative)

    by Anonymous Coward on Friday October 31, 2008 @04:12PM (#25588493)

    Jabber server, pidgin clients, and http://pidgin-encrypt.sourceforge.net/ for security. Really it's a shame this even made it to slashdot. Can't anyone google anymore?

  • Pidgin + OTR (Score:4, Informative)

    by 314m678 (779815) on Friday October 31, 2008 @04:13PM (#25588511)
    Pidgin + OTR pluggin

    http://www.pidgin.im/ [pidgin.im]

    http://en.wikipedia.org/wiki/Pidgin [wikipedia.org]

    http://www.cypherpunks.ca/otr/ [cypherpunks.ca]

    • Re: (Score:3, Informative)

      by TheLink (130905)
      Pidgin for windows is pretty crappy though

      It hangs quite often (more if you don't use the tab mode, and if you use tab mode, if some spammer spams you, you can't tell from the taskbar who sent you the message - it could look like someone else is sending you a message).

      It often doesn't succeed in sending messages to people on MSN - 5 minutes after I send, it'll tell me it failed. 5 minutes!

      You can't easily filter out "spim", even if you use stuff like bot sentry you still get bugged about it- which completel
    • Re:Pidgin + OTR (Score:5, Interesting)

      by srussell (39342) on Friday October 31, 2008 @05:06PM (#25589199) Homepage Journal
      Note that the OTR plugin is available for several IM clients, including KDE's Kopete, Miranda, mICQ, and several others.

      I'm still waiting for it to show up for the Android chat client, but it is still early days...

      --- SER

  • jabber (Score:5, Informative)

    by muckdog (607284) on Friday October 31, 2008 @04:13PM (#25588513) Homepage
    I'm betting www.jabber.org will be echoed over and over in the responses. Considering Google uses it to power Gtalk I say its scalable.
  • Multi-platform (Score:4, Insightful)

    by jkinney3 (535278) on Friday October 31, 2008 @04:13PM (#25588517)
    Microsofts solution is NOT multiplatform. Anything that runs jabber protocol has a multiplatform client.
  • Pidgin? (Score:2, Informative)

    by yakumo.unr (833476)

    So how about Pidgin [pidgin.im] with the OTR plugin [cypherpunks.ca]? afaik you can't get more secure than OTR with IM, and it's available for a few different clients.

    • by cowtamer (311087)

      Mod parent up. Pidgin is not as full-featured as MS's IM, but otherwise rocks (esp. wrt security)

  • Openfire + Spark (Score:5, Informative)

    by mackil (668039) <movie@movBALDWIN ... net minus author> on Friday October 31, 2008 @04:14PM (#25588537) Homepage Journal
    We use the Openfire server (www.igniterealtime.org) with the Spark client over several offices in different states and over 3 different platforms. SSL is available as well (which we use).

    So far no problems beyond user error. I'd recommend it.
    • Re: (Score:3, Insightful)

      by ErnieD (19277)

      I'll second that, we use Openfire within our IT department (spanning 3 locations plus accessible via VPN). Spark is the primary client we give to our people but they're also free to use any other Jabber client they want like Pidgin, Miranda, Exodus, etc. We have SSL enabled and message auditing & archiving turned on which is also important for businesses in certain markets. We have it authenticating off our Active Directory via LDAP lookup. There's also a Flash-based web client which simply is a SWF tha

    • Re: (Score:3, Informative)

      by SuperQ (431) *

      I use openfire for my personal jabber server, it's been reliable, and keeps getting good updates.

      I haven't used the spark client, and I haven't had good luck with the web client. That's probably the biggest thing I wish I could find was a good web client like gmail chat.

    • We use Wildfire (a.k.a. Openfire) with Pandion (on the Windows machines) and iChat on the Macs. Some folks use Miranda or other chats. Openfire/Wildfire ties nicely into Active Directory, letting you populate user lists and do authentication against the AD. We're using SSL to secure the transport protocol.
  • Use Pidgin with OTR. It is a good balance of security and convenience, you just need to be careful about not having your hardware stolen (OTR keys are not symmetrically encrypted the way PGP keys are). You might be able to resolve that by also using whole disk encryption...
    • OTR doesn't actually use the keys it stores for the encrypted message. When you start a new conversation, both sides generate a new set of session keys randomly. The stored key is then used to sign the session keys so that the other party can trust that the session key is valid, and from you.

      If you lose your keys, an attacker can pretend to be you until you update the public keys that your friends will be looking for, but previous messages aren't compromised. In that way, it's a fair bit safer than PGP.

  • Jabber? (Score:3, Insightful)

    by nine-times (778537) <nine.times@gmail.com> on Friday October 31, 2008 @04:16PM (#25588561) Homepage

    I've never actually implemented Jabber before, but it seems like the obvious answer. You should be able to set up your own server without paying any software costs, and use GAIM/Adium. I think encryption is supported, but it's slightly less of a concern if the traffic never leaves your own network.

    Actually, depending on your requirements, you may not want clients to encrypt traffic, so that you can log and archive it.

    • Re: (Score:2, Informative)

      by infinityxi (266865)

      Jabber is actually a pretty easy set up. You can grab a ejabberd or OpenFire and set your domain up around it. Encryption and retention is also pretty easy to set up. It seems to make the most sense if this is about in house communication on a company level as one can easily make JIDs mirror email addresses.

      • by krakelohm (830589)
        I second the use of Openfire. I have been using it since it was wildfire, its nice and small on the server, web interface for setup and uses Jabber so you can choose the client that works for you. One note though, I would stay away from their client (spark), it works good but man its a memory hog and slowwwww.

        http://www.igniterealtime.org/projects/openfire/index.jsp
        • by SuperQ (431) *

          I also love openfire, I tuned the java memory usage down a bit, but I guess I don't have enough users to see if it's slow or not.

          How many users and what hardware are you using?

          It supports clustering, so I guess you can always scale it that way.

    • Actually, depending on your requirements, you may not want clients to encrypt traffic, so that you can log and archive it.

      Exactly my thoughts.

      I'd recommend IRC. Set up one IRC server per location and tunnel inter-office connections over ssh or ssl [have a look at stunnel]. Whether to encrypt intraoffice communication depends on local requirements, but again there's stunnel.

      If employees don't trust each other or the sysadmins, your organization probably either has serious problems, or it's the DOD.

      • by Binestar (28861)

        If employees don't trust each other or the sysadmins, your organization probably either has serious problems, or it's the DOD.

        Or it's something like a Hospital or Dr office and everyone doesn't need to know that Patient A is being moved by Nurse Station A to Nurse Station B and is his room ready?

        Information wants to be free, but privacy is a good thing. I'm actually in the process of examining various Jabber servers for something that can authenticate to Active Directory and supports encryption for a Surge

  • Any XMPP Client (Score:5, Informative)

    by infinityxi (266865) <infinityxi@yahoo . c om> on Friday October 31, 2008 @04:16PM (#25588563) Homepage

    I would go about your problem by first separating the client from the actual protocol. If you are worried about cross platform I would of course go with an XMPP solution. You can do the following:

    - Run an OpenFire server Here [igniterealtime.org]
    - Pick from a slew of XMPP clients but I would problem pick the Spark IM Client (Same people as the OpenFire software)

    This way you don't have to worry about Client A working with Protocol B across Windows/Linux/Mac.

    Using XMPP is also an easy way to control your IM facilities as you can create an organizational system for creating names such as using email addresses as screen names and not have to worry about Bob from Accounting using PiMpMaSta23.

    I would evaluate OpenFire and the Spark IM client and see if it fits. The server is very easy to set up and administer. You can also use Pidgin or Psi as XMPP clients although I think Spark is the most professional looking of the three.

  • by Yosho (135835) on Friday October 31, 2008 @04:18PM (#25588585) Homepage

    Everybody is saying "Pidgin", but a client won't do you any good without a server to connect to, and if you really care about being secure, you shouldn't trust any third-party server that is publicly accessible.

    You should probably set up your own Jabber server; I recommend Openfire [igniterealtime.org], which is open source, easy to install, and pretty powerful. It is possible to mandate that all clients must use encryption to connect, which will do a pretty good job of keeping things secure, and you can use any XMPP client that supports encryption. If you don't want even the server to be able to read your messages, as others have suggested, installing an OTR plugin for your client is the way to go.

  • by Arrogant-Bastard (141720) on Friday October 31, 2008 @04:19PM (#25588609)
    Pidgin is portable, under active development, works for multiple IM protocols, sports a healthy collection of plug-ins that augment its functionality -- include OTR to provide relatively secure messaging services. It's not perfect by any means, but I've deployed it across a 150-person organization and found that it more than met their needs. So if you're going to spend money -- not that you need to -- one possible course of action is to try pidgin, identify any issues that are causing you problems, and negotiate a deal with the developers: make a contribution to fund the development, which in turn not only benefits you but the entire rest of the user community.
  • Why IM? (Score:5, Interesting)

    by Hatta (162192) on Friday October 31, 2008 @04:20PM (#25588619) Journal

    Why not IRC?

  • I have used this combination at two jobs now, it supports multiple offices and also has LDAP integration if you wanted to hook it up with Active Directory. There are also a handy assortment of plugins available.

  • GroupWise IM (Score:2, Informative)

    by Emrys01 (831422)
    Novell GroupWise Instant Messenger is secure by default. It has its own client or you can use Pidgin. The server is not hard to set up and get running either. (Disclaimer, I work for Novell.)
    • Nobody on slashdot would typically suggest Novell for anything. Patent issues, selling their soul to MS, working with mono, You should know better. [boycottnovell.com]

      Pidgin + OTR + Jabber server if needed = good solution, open source, no software costs of any kind (only hardware).

    • by Bert64 (520050)

      Does it use standard protocols (XMPP, or maybe SIP)?
      Does it store it's user data (users/passwords, profiles, logs etc) in standard formats?

      I think it would be foolish to implement something proprietary, because it will restrict your movements in the future.

  • by Anonymous Coward on Friday October 31, 2008 @04:23PM (#25588681)

    SupraBrowser [sourceforge.net]

    It's a secure, threaded IM client (all socket communication 3DES encrypted with a zero-knowledge proof SRPP [stanford.edu]), written in Java, that runs on Linux, Mac, and Windows. It was developed for the hedge fund industry in Boston. I developed it initially, but it's mainly being maintained, not developed further because we don't receive any new feature requests.

    Don't let the extensive features fool you. It's primarily a secure, threaded IM system. The other features were added (email gateway, auto-forwarding to email, embedded web browser with sophisticated tagging engine) based on its being used *very* heavily every day and requests coming from highly advanced users of the system.

    There is also a Firefox plugin that integrates with it, as well as a pure ajax client written in the Eclipse Rich Ajax Platform.

    Feel free to contact me personally for any details or help setting it up. The release on sourceforge assumes fairly good technical abilities (building it from ant, getting xulrunner to work with javaxpcom) and is not a general packaged release. However, it is running many places in production.

    suprasphere@gmail.com

    David Thomson

  • by kuzb (724081)
    Why does it have to be opensource? Do you intend to develop code/patches for it?
    • by Loibisch (964797)

      Maybe not now, maybe he might later if the whole project goes under.

    • by geekoid (135745)

      A) If he really wants security he is going to want to look at the code.

      B) Maybe he wants to support the philosophy?

      C) You are protected against forced upgrades.

      D) You will always be able to get support. Worse case that will mean hiring someone to add the feature you want.

      E) Cost.

      F) Longevity.

  • by Enleth (947766) <enleth@enleth.com> on Friday October 31, 2008 @04:25PM (#25588711) Homepage

    You can setup the thing completely in-house (you don't have to trust a contractor), or you can opt for a canned solution (for example Jabber, Inc., http://www.jabber.com/ [jabber.com], they do provide everything for big and small companies, and are backed by Cisco). It uses SSL/TLS for secure connections both between clients and servers (C2S) and between separate servers (S2S), with full support for certificate authenticity checking, and even PGP/GPG encryption between the users, should they need to exchange really confifental data that even a rogue company server admin shouldn't be able to intercept (message encryption, pretty rare among proprietary protocols, but happens), or be sure that joe.the.boss@company.com is really Joe, their Boss, and not someone who just happend to "borrow" their laptop at the airport (signed presence, something, AFAIK, no other protocol provides). There are XMPP servers and clients for almost every platform possible, open-source or commercial, the protocol is open and approved by IETF for IM-style communication.

    I won't give you any specific names, but I believe it wouldn't be very difficult to find a few *very* big companies using XMPP to prove to your boss that it's being used like this by big players in the industry.

    And, frankly, that's the only open solution to your problem.

  • Zimbra (Score:4, Interesting)

    by sfbiker (1118091) on Friday October 31, 2008 @04:26PM (#25588727)
    Check out Zimbra [zimbra.com]

    It can replace your Exchange server for email, has an XMLPP IM server built-in, and is much more cost effective and easier to administer than Exchange.

  • by Ash-Fox (726320)

    Psi and a Jabber server of your choosing would do.

    Psi is fully multi platform, supports various encryption options. It isn't any harder to setup and install than any other corporate instant messaging system.

    Additionally, there is no cost involved.

  • by Nicodemus (19510) on Friday October 31, 2008 @04:34PM (#25588833) Homepage

    I would recommend the open source OpenFire [igniterealtime.org] server. Install it on your own server, then set the preferences to force SSL connections. Then communicates passed between clients on any platform are SSL encrypted. Turn off local client logging for better security. Beyond that, it's all client-side stuff that doesn't port as well.

    Nicodemus

  • Spark/Openfire? (Score:3, Informative)

    by chiger_bite (801427) on Friday October 31, 2008 @04:55PM (#25589061)

    I have been a fan of the Spark Client and Openfire Server [igniterealtime.org] as an IM platform for quite sometime. They are built on the XMPP and Jabber protocols. After being in a corporate environment before, I know it's hard to convince management to go with an OSS solution as they seem to think that if it doesn't have a price tag, it's not secure. The Spark/Openfire platform come in an 'Enterprise' flavor with support to appease management as well. Both the client and server are built on a plug-in style architecture, so it's pretty easy to include your own software add-ins. There are really too many features for me to really go into though.

  • I don't think Pidgin (Score:2, Informative)

    by morgauo (1303341)

    Pidgin's a great client for personal use. I use it and like it a lot.

    Sure, they can set up a Jabber server of their own, then connect to it with Pidgin and use one of the encryption plugins for security but I doubt an organization that is concerned about secure IM is going to be interested in a solution with so much possibility for the users to start adding their own personal, outside, public IM accounts.

    I would say Jabber server with any jabber only client which supports encryption and can have it's confi

  • We use Pidgen (Score:2, Informative)

    Multi-platform =and= multi-protocol.

  • jabberd/jabberd2 (Score:2, Informative)

    by defsdoor (737019)
    I run half a dozen jabberd servers (and one jabberd2) and use PSI on windows machines for clients. I also generate the user rosters myself with some nifty scripts so that users always see everyone else in the companies.
  • In this case, for once, I have to say just use a commercial solution. Maintaining your own servers is expensive, and supporting it is a headache your IT people don't need. Just go with Skype if you want video and free phone service as well, that is very multi-platform. It's not open source, I admit, but it works well.
    • by Bert64 (520050)

      Using a third party external server could open up legal implications... You really don't want your private internal correspondence going outside of the company network.

  • At our office, we were using IRC for many years. We recently rolled out a jabber/xmpp server, Openfire, and associated clients for the users' platforms. It's secure, and full-featured.

  • Anything that is Jabber/XMPP based will support a wide range of clients and has the ability to use SSL. You not only can encrypt SSL traffic, but a good server will allow you to require clients that connect to have a known and valid certificate. And the server must have a certificate that is known to the client. It's only as secure as your process of distributing the certificates.

    For a client there are many. Coccinella [coccinella.im] has a nice whiteboard features that I have found useful in the corporate world. But Pidgi

  • Are you serious?? Openfire [igniterealtime.org] for the XMPP (aka Jabber) server, and Pidgin [pidgin.im] for the client. If setup correctly, you can force SSL/TLS encryption. I've implemented this at my company and it's rock solid. Beats the hell out of any proprietary solution you'll find, if IM is your main goal. I'd recommend setting up XMPP service DNS records for your domain for a really slick implementation.
  • Use a Jabber server, there are many out there, and it also offers the benefit that you can split the service up into subdomains, ie your larger sites have their own local jabber server but can communicate with the others, so you have for instance:
    user@newyork.yourcompany.com
    user@london.yourcompany.com

    You can also open it up to the outside if you want, and you can also make people's jabber id's match their email addresses...

    For clients, being an open standard you have a huge choice of clients, pidgin is good

  • I'm willing to take the -1, Flamebait on this:

    Did you even -think- about trying, oh, say, a web search on this?

    Google is pretty good, I suggest you try it.

    What a pointless Ask Slashdot.

    • by SuperQ (431) *

      Goog apps for your domain works really well, and since it supports jabber clients/federation, it's really flexible about what you connect. There are a few enterprise features like "warn user if contact is not on your domain" and forced encryption.

  • there is gale [gale.org] which is secure, protocol based, distributed, and quite nice all around.

  • by pngwen (72492) on Friday October 31, 2008 @07:29PM (#25590551) Journal

    I use CenterIM, formerly called CenterICQ.

    It's ncurses based, so it runs in any real computation environment. It supports Yahoo, ICQ, AIM, MSN, Jabber, IRC, Google Talk, Live Journal, RSS feeds and more!

    It's a wonderful client, tiny footprint, and it runs where programs belong, on the command line!

"Marriage is low down, but you spend the rest of your life paying for it." -- Baskins

Working...