Jabber/XMPP is a decentralised instant messenger using the open source XMPP protocol, there is no central server that could be compromised, the multiple nodes construct a resilient and hard to monitor infrastructure. Dozens of XMPP servers, encryption and its open source nature make XMPP much harder to wiretap or shut down than cloud based Google Hangouts, Yahoo Messenger or Skype, all USA companies known to have a NSA backdoor.
One of Jabber/XMPP main vulnerabilities is that the server you are connected to is not trustworthy, this is a list of XMPP servers with the best privacy policies:
5th July XMPP: Swedish privacy foundation promoting free speech worldwide, in between other services they provide an open XMPP server with Off-The-Record Messaging (OTR) support, hosted in Sweden and with logs tuned off. They warn you that file transfers are not encrypted, only text conversations are.
Calyx Institute: A not for profit privacy and cyber-security foundation running a public Jabber/XMPP server that does not create any records of who you communicate with or keep logs of the content of any communications, this server forces you to use OTR, Off-the-Record Messaging, a cryptographic plugin that stops the server administrator from accessing plain text of your communications.
Jabber.at: This XMPP server does keep logs, but I am adding them to the list because they are very clear about this, indicating how many days logs are kept for and what the content. For example the IP used to register an account, chat messages and file uploads are all kept for 31 days. The administrator indicates that they are based in Austria and according to local laws he must and will hand over logs for any crime that carries more than 1 year in prison. A transparency report with the number or court orders received to hand over logs is posted yearly, to be found in the privacy section of the website.
Neko IM: Running a public XMPP server located in Norway, they claim that no more information is collected and stored than what is absolutely necessary, TLS everywhere is enforced and Jabber clients need to support a strong cipher or they will not be able to connect to the network. Being a free volunteer run project, this server uptime comes accordingly to this and no guarantees are made about uptime other than “as much as possible“.
Countermail: This is a paid for service from a Sweden based email privacy company that provides the XMPP server xmpp.counternet.com with TLS and SSL encryption only available to email account holders. The username and password are randomly generated, you can not create your own, however, all XMPP clients supports “alias” or “display name” that you can manually set up and this is what other Jabber users will see.
XMPP servers in Tor
OTR.im: Free anonymous Jabber service with a Tor hidden node, connections are encrypted with a Let’s encrypt certificate. This XMPP server is fully encrypted and logs are disabled, except error logs, all that the administrator can see is your hashed password, IP address if you don’t use Tor, offline messages and destination address if your contact is not online. A detailed explanation about the logs and configuration settings are posted on the site.
SystemLi: Jabber server managed by an anti-capitalist tech collective. They do not retain any kind of data and a .onion link is available for those using Tor. To avoid spam accounts registration is only possible with an Internet browser.
Kode.im: A public USA based Jabber server with a Tor address and multi-user chat support. The server only allows ciphers with forward secrecy enabled. Logs are kept to a minimum and they do not include IP address history of any users. Accounts are removed after six months of inactivity.
OnionMessenger: Free Android and web based Jabber messenger that uses Tor to communicate with others. it can be used in conjunction with OMEMO and OpenPGP to encrypt the data stored in your device.
About Jabber/XMPP security
Any IM client that supports the XMPP protocol can interact with other Jabber users, a few of the best know Jabber compatible clients are Pidgin, Thunderbird and Jitsi, they can be used for videocalls and sending files, but always remember that encryption and end to end does not mean that your computer IP is hidden. Jabber will help you protect from wiretapping with encryption but the server you use could log what you do and your contact could find out your home IP if you are not on a proxy or VPN.
Another benefit of Jabber is that the same username and password can be used to connect with the social network Jappix, unlike Facebook, you don’t have to provide your real identity to take part in Jappix. Another way to protect your online privacy is running your own Jabber/XMPP server with a custom logs policy, it is not hard to set up an XMPP server with basic understanding of Unix, search for Prosody or Tigase to find XMPP server software to run.
Sometimes privacy minded individuals set up their own XMPP server and open them to everybody, due to the nature of one man operations, instead of including here privacy servers that have little backing and less chances of long term survival it is best that you check out an updated list of all public XMMP servers at https://list.jabber.at/