Unified Communications: Information Loss Through the Front Door

No ratings

Presented at ToorCamp 2012 by

Jason Bubolz

Ten years ago instant messaging entered the spotlight as corporate network managers wrestled with the passage of the Sarbanes-Oxley Act and the realization that business was being conducted through a melting pot of protocols and personal Internet identities. Security interest has waned, but the emergence of unified communications product offerings, building next-generation PBX and conferencing solutions on top of the corporate instant messaging backbone, has already increased the deployment of always-on instant messaging and presence clients. While the market is still fragmented between SIP/SIMPLE and XMPP the market is beginning to standardize. Cisco purchased Jabber, Inc. and their current UC solutions offer instant messaging and presence over XMPP. Major public cloud providers such as Google, Apple, and Facebook have chosen XMPP, and the Defense Information Systems Agency (DISA) has made XMPP, and more specifically server-to-server federated XMPP, a requirement for sales of "near-real-time, text-based messaging products" into the US Department of Defense prompting vendors with a SIP/SIMPLE solution to look at gateway solutions. As companies allow instant messaging and presence federation with partners and large public cloud providers what information is being exposed? The XMPP specifications point out security concerns and mitigations for implementers, but a deployment balanced between paranoia and business needs will necessarily leak business sensitive information to the broader federated community. This talk will focus on the mechanics of XMPP, XMPP server to server federation, and the information that is available about users and multi-user chat conversations to a federated partner. We will complete the talk with a short discussion of how the XMPP protocol is used to walk this data and build a picture of topics within a federated domain.