Jabber/XMPP is a decentralised instant messenger using the open source XMPP protocol, there is no central server that could be compromised, the multiple nodes construct a resilient and hard to monitor infrastructure. Dozens of XMPP servers, encryption and its open source nature make XMPP much harder to wiretap or shut down than cloud based Google Hangouts, Yahoo Messenger or Skype, all USA companies known to have a NSA backdoor.
One of Jabber/XMPP main vulnerabilities is that the server you are connected to is not trustworthy, this is a list of XMPP servers with the best privacy policies:
Calyx Institute: A not for profit privacy and cyber-security foundation running a public Jabber/XMPP server that does not create any records of who you communicate with or keep logs of the content of any communications, this server forces you to use OTR, Off-the-Record Messaging, a cryptographic plugin that stops the server administrator from accessing plain text of your communications.
OpenMailBox: A free privacy email provider that also comes with XMPP, to get the XMPP chat service you will have to register for an email account first. Openmailbox Jabber/XMPP connection is encrypted with Transport Layer Security (TLS), an asymmetric cryptographic protocol, all of this happens in the background with digital certificates, the user does not have to worry about anything. The downside of this provider is that they don’t enforce mandatory encryption in XMPP, you could be chatting in plain text if the other server does not support it.
Jabber.at: This XMPP server does keep logs, but I am adding them to the list because they are very clear about this, indicating how many days logs are kept for and what the content. For example the IP used to register an account, chat messages and file uploads are all kept for 31 days. The administrator indicates that they are based in Austria and according to local laws he must and will hand over logs for any crime that carries more than 1 year in prison. A transparency report with the number or court orders received to hand over logs is posted yearly, to be found in the privacy section of the website.
Neko IM: Running a public XMPP server located in Norway, they claim that no more information is collected and stored than what is absolutely necessary, TLS everywhere is enforced and Jabber clients need to support a strong cipher or they will not be able to connect to the network. Being a free volunteer run project, this server uptime comes accordingly to this and no guarantees are made about uptime other than “as much as possible“.
Countermail: This is a paid for service from a Sweden based email privacy company that provides the XMPP server xmpp.counternet.com with TLS and SSL encryption only available to email account holders. The username and password are randomly generated, you can not create your own, however, all XMPP clients supports “alias” or “display name” that you can manually set up and this is what other Jabber users will see.
XMPP servers in Tor
Rows.io: Public XMPP server federated with Tor and the Internet, it only communicates with other servers using secure encryption, if the others don’t support TLS, no connection is possible, this protects the user from sloppy admins not taking security seriously. This server has a .onion address as well as a public one, sign up can be done anonymously and you can create chatrooms for multi chat. Bitcoin donations accepted but not necessary.
OTR.im: Free anonymous Jabber service with a Tor hidden node, connections are encrypted with a Let’s encrypt certificate. This XMPP server is fully encrypted and logs are disabled, except error logs, all that the administrator can see is your hashed password, IP address if you don’t use Tor, offline messages and destination address if your contact is not online. A detailed explanation about the logs and configuration settings are posted on the site.
SecureJabber.me: Server allows for account registration using a form on the website, the Tor hidden node or your Jabber client. Account recovery is not possible if you lose your password, make sure to use a password manager. Logs are not kept except offline messages and contact list, which is required by all XMPP servers. This service is located in Germany, using it for anything that is illegal in Germany could result in your account being blocked.
About Jabber/XMPP security
Any IM client that supports the XMPP protocol can interact with other Jabber users, a few of the best know Jabber compatible clients are Pidgin, Thunderbird and Jitsi, they can be used for videocalls and sending files, but always remember that encryption and end to end does not mean that your computer IP is hidden. Jabber will help you protect from wiretapping with encryption but the server you use could log what you do and your contact could find out your home IP if you are not on a proxy or VPN.
Another benefit of Jabber is that the same username and password can be used to connect with the social network Jappix, unlike Facebook, you don’t have to provide your real identity to take part in Jappix. Another way to protect your online privacy is running your own Jabber/XMPP server with a custom logs policy, it is not hard to set up an XMPP server with basic understanding of Unix, search for Prosody or Tigase to find XMPP server software to run.
Sometimes privacy minded individuals set up their own XMPP server and open them to everybody, due to the nature of one man operations, instead of including here privacy servers that have little backing and less chances of long term survival it is best that you check out an updated list of all public XMMP servers at https://list.jabber.at/