Just wondering: is entire traffic between me and the Jabber server I use encrypted, or only login and password? Given that the server supports encryption, and my IM client is configured to ask for encryption.
If SSL/TLS encryption is used for all traffic, please tell which encryption algorithm is usually used (asymmetric one for key exchange and symmetric encryption for chatting).
Of course I use OTR to make encryption point-to-point, but still wandering about SSL/TLS in Jabber/XMPP.
Integration of XMPP (the protocol) with SSL/TLS is described in section 5 of RFC 3920. Basically, client and server agree to switch to SSL on the already open connection, and then to SSL/TLS thereafter until the end of the connection. So everything is protected in SSL/TLS, not just the authentication part. All subsequent traffic gets encrypted.
It is still up to the client software to refuse to talk if it tried to use SSL/TLS, and the operation failed (e.g. by lack of a common cipher suite between client and server). If the client software falls back transparently to a non-SSL dialog, then an active attacker can force the client not to use SSL even if it was possible. I strongly hope that your Jabber client is not that bad, though.
(When security is optional, it does not work.)
