Good Open Source, Multi-Platform, Secure IM Client? 308
Phil O. writes "I work for a company with 30+ locations across North America. Some offices have hundreds of employees; some only a dozen. We're looking for a secure, multi-platform IM client we could implement across the organization. One group is pushing for Microsoft's solution, but it has a number of drawbacks (including cost). What other options are out there, and what has worked well in similar situations? Security is a big concern for the company."
Sametime (Score:2, Insightful)
IBM's Lotus Sametime is very good I think. No idea how much it costs though, probably not cheap and it isn't open source.
Multi-platform (Score:4, Insightful)
Re:jabber (Score:5, Insightful)
I agree - not too hard to set up your own jabber server with an SSL connection. If you REALLY want to be secure, you won't rely on someone elses server.
Jabber? (Score:3, Insightful)
I've never actually implemented Jabber before, but it seems like the obvious answer. You should be able to set up your own server without paying any software costs, and use GAIM/Adium. I think encryption is supported, but it's slightly less of a concern if the traffic never leaves your own network.
Actually, depending on your requirements, you may not want clients to encrypt traffic, so that you can log and archive it.
Re:skype (Score:1, Insightful)
Not saying Skype is secure or anything, but do you have any hard evidence, or facts?
Re:GroupWise IM - whoa no (Score:2, Insightful)
Nobody on slashdot would typically suggest Novell for anything. Patent issues, selling their soul to MS, working with mono, You should know better. [boycottnovell.com]
Pidgin + OTR + Jabber server if needed = good solution, open source, no software costs of any kind (only hardware).
Re:Openfire + Spark (Score:3, Insightful)
I'll second that, we use Openfire within our IT department (spanning 3 locations plus accessible via VPN). Spark is the primary client we give to our people but they're also free to use any other Jabber client they want like Pidgin, Miranda, Exodus, etc. We have SSL enabled and message auditing & archiving turned on which is also important for businesses in certain markets. We have it authenticating off our Active Directory via LDAP lookup. There's also a Flash-based web client which simply is a SWF that can be dropped in any web server, but we don't use that at present.
Re:skype (Score:3, Insightful)
"More Skype security Speculation."
Do you have any evidence that the Skype protocol is secure?
Note, Obscure != Secure.
Re:Skype? (Score:2, Insightful)
I would really not want to use Skype for anything more than personal use, especially not company use. It might be a good program (matter of opinion) and it might have decent voip but then again the guy asking could have easily went with using AIM, Yahoo, or GTalk. It sounds like he wants to use something more suited to IM and for a company you should really want to have control over accounts, usernames, and compliance and I don't think Skype is good enough for that.
As for the security issue. I am sure it is decently secure but if this organization as others rely on encryption for sending sensitive messages across the wire (I would really discourage people sending sensitive business information over IM) a third party solution isn't really the way to go. I would say run something in house (or co-located) and get a certificate.
Re:Sametime (Score:1, Insightful)
Re:Pidgin? (Score:3, Insightful)
Kerberos [mit.edu] will authenticate without storing or sending passwords. It works for email, remote login (ssh, telnet, rlogin), file service (AFS, ftp) and web as well. Pidgin supports Kerberos, though you wouldn't know it to look at the documentation; it took me a while to realize I needed to load the Debian package libsasl2-modules-gssapi-mit [debian.org].
Re:Pidgin + OTR (Score:5, Insightful)
Most likely the MSN bug in pidgin is due to having to reverse engineer the protocol every time it gets changed...
Re:jabber (Score:5, Insightful)
If the clients use end-to-end encryption and share the password through a secure different channel (e.g. encrypted email) does it really matter if the server is your own?