0

I'm trying to understand how XMPP works and I'm much concerned about how do both the protocol and existing implementations ensure privacy.

More specifically, I want to understand how do XMPP servers process the messages sent out by their clients.

While reading the chapter 4 of the book "XMPP: The Definitive Guide by Remko Tronçon, Kevin Smith, Peter Saint-Andre", I got the following note:

Upon receiving the message stanza, the realworld.lit server checks to see whether Alice’s sister is online; if so, the server immediately delivers the message to one or more of her online devices over a server-to-client XML stream (without storing it or otherwise performing much processing on it)

However it doesn't explain the way how the message is temporarily stored, and what it is meant by "performing much processing on it" (sounds vague).

I made a research and I read the XMPP Core RFC, but didn't find enough information.

What I'm wondering:

  1. Are the messages directly stored within the source server (mapped to the sending client), before forwarding them to destination server?
  2. Are the messages directly stored within the destination server (mapped to the target client) before forwarding them to the target client, after he becomes online?
  3. How longer are they stored: are they stored temporarily (and how longer do they remain on server)?
  4. How are they stored physically: are they in-memory or persisted to disk?
  5. Are the messages directly flushed (deleted) from both source and destination servers after forwarding them?
user6039980
  • 103
  • 3
  • 1
    I don't think that the standard enforces a specific way on how exactly and how long a message is stored, i.e. this is depending on the specific implementation. Also, as far as I know XMPP is not focused on privacy in the first place and it has (at least by default) no end-to-end encryption. If it would have E2E then it would not matter if the server stores the message (since it is encrypted for the recipient only and the server cannot decrypt it) and without E2E the main problem is that the server has the message in plain in the first place. – Steffen Ullrich Aug 23 '19 at 13:01

1 Answers1

1

While it's possible for a particular implementation to do something different, in every XMPP server I've looked at:

Messages are NOT end-to-end encrypted.

Messages are stored on the server in clear text.

Messages are mapped to both sender and recipient.

Messages are generally stored permanently on disk, subject to only local house keeping cleanup.

XMPP is essentially e-mail with realtime presence indicators.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • Thanks for your answer. Could you clarify a bit, the meaning of "Messages are mapped to both sender and recipient."? – user6039980 Aug 24 '19 at 13:31
  • 1
    @Kais- Essentially messages are kept in a database with pointers to both sender and recipient. Statistics of who talks to who, amount, frequency, etc are readily generated from the database. – user10216038 Aug 25 '19 at 01:43