Security vulnerabilities of XMPP

Hi there,

I’m using XMPP as a communication layer for machine-to-machine interaction. I’m interested in the security aspects of XMPP and Openfire. Is there anywhere a repository of XMPP and Openfire security vulnerabilities, issues, and countermeasures?

A couple of more specific questions:

  1. Can you configure the server not to deliver messages to anyone who’s not in your roster?

  2. Can you configure the server not to deliver you message in a rate that exceeds some factor? (server side rate limiter)

Thanks!

As far as I know, there is no such repository. We have our generic bugtracker of course, and some vulnerabilities are added to public websites that specialize in them, but that’s about it.

As for your questions:

  1. No, not to my knowledge. This is behaviour that’s different from what’s defined by the XMPP specification, as far as I know. It would however be rather simple to write a plugin (based on a packet interceptor) to implement this. Check out the Plugins - perhaps one does exists that implements this functionality!

  2. No, but that’s on our to-do list though.

Thanks Guus for the useful information.