Connection encryption

[Ethan Blanton]

You asked the same question approximately eight times, I'm going to
answer it once.

steamkey at post.cz spake unto us the following wisdom:
> I just switched from Skype to Pidgin, and I had a question.
> I use XMPP / Jabber with Pidgin. Is my connection fully encrypted? My friend
> list, messages and everything? So users on my network can't spy on me? 
> There's connection security in advanced XMPP account settings. Is that it? 
> Require encryption or use old style SSL. "Require encryption" uses SSL3.0 or
> TLS1.1 / 1.2 and old style SSL uses old SSL?

Yes and no.  If you select "require encryption" in your XMPP account
settings, then your connection is encrypted *from you to the server*.
This says nothing at all about the connections between servers (which
may or may not be encrypted, and you really cannot tell or count on
it) or the connection from the server to any of your buddies (same
story).  So your buddy list will be encrypted, and your status, and
your messages to the server, etc.  However, if, for example, you were
chatting with a user *on the same LAN* (or there was even simply a
user on the same LAN in your buddy list) who didn't use TLS, then that
conversation would be unencrypted on the LAN *from the server to your
buddy*.

In general, you can't assume that TLS protects an XMPP connection in
any meaningful way, except that your authentication will be blinded.
In specific cases, you may be able to make stronger guarantees.

> I know there's a OTR encryption for messages, so my XMPP / Jabber server 
> provider, government or anyone else can't read my messages.

OTR would provide guarantees that chats with another OTR-using buddy
were fully encrypted from you to your buddy even if the XMPP
connections from server-to-server or between your buddy and the server
were not.  You still cannot assume that the fact that you are chatting
with a particular user is hidden, but the *contents* of that chat will
be hidden.

Ethan