Permalink

12

rows.io: A Secure Public Jabber/XMPP Server Federated on Hyperboria, Tor, and The Internet

With Google’s transition away from open federation in favor of “Hangouts” and PRISM being all but certain I decided it was a good time to find an alternative to my Google Talk account. I decided to set up a Jabber/XMPP server that is open for public registration and will federate with any xmpp server over the Internet and over Hyperboria and which is also accessible over Tor.

The service is called rows.io (yz6yiv2hxyagvwy6.onion on Tor).

To sign up, simply use any Jabber/XMPP client, like Pidgin, and add an XMPP connection with any [email protected] Registration is handled in-band so you can simply check “create this account on the server” and you will have a new @rows.io account.

If connecting over Tor, enter the same info, but specify the connect server as yz6yiv2hxyagvwy6.onion and make sure it’s tunneling over your Tor proxy via SOCKS5.

You’ll then be able to chat with any Jabber/XMPP account over the internet or Hyperboria. And don’t forget to add me: [email protected]

More info at https://rows.io/

Author: Matt Drollette

I am a software developer in Dallas, TX.

12 Comments

  1. What cipher suites does your server support? I would hope your server is only using Ephemeral cipher suites and it’s own ordering to be considered secure.

    • The supported ciphers as well as other security info is provided on the IM Observatory: http://beta.xmpp.net/result.php?domain=rows.io&type=client

      Note, you’ll need to “show other SRV records” since it defaults to the Hyperboria address which is unreachable over the Internet.

      There is little runtime configuration possible with ejabberd in regards to ssl/tls. I am considering switching to other servers that allow more fine-grained control of these settings.

      • I sniffed the ssl handshake and the server is using tls 1.2. Although my client supports a wide range of Ephemeral cipher suites, the server only gave me TLS_RSA_WITH_AES_256_GCM_SHA_384.

  2. Hello,

    Thank you for the tutorial.

    I cannot create the rows.io account in Pidgin. I cant seem to enable the account and keep getting an “Invalid XMPP ID” error.

    I have Tor installed and have set my proxy settings to 127.0.0.1:9150 via SOCKS v5 and put yz6yiv2hxyagvwy6.onion as the connecting server. I tried both the default port and no port at all.

    Is there something missing?

    Are you able to provide a screenshot?

    Thanks

  3. I find it ironical that you blog on tor enabled jabber service, yet accessing your page via Tor gets the cloudfare captcha page.

    • It’s not uncommon for Tor to be used for abuse, rather than for protecting anonymity. Solving a captcha is one way to limit that abuse. I see no problem with that. Also, the jabber service (yz6yiv2hxyagvwy6.onion) and the jabber website (https://rows.io) will not give you a CloudFlare captcha.

  4. Please make more information about your server public:

    1) Privacy policy. What data are collected and why? Data holding/preservation/backup policy and expiration periods. What data are persisted (and can be handed over to three letter agencies under secret warrants, for example).

    2) Server software in use, along with all modules/extensions to support various XEPs. This information is surprisingly hard to come by. As a baseline, please consider the list of XEPs required by Conversations XMPP app. https://github.com/siacs/Conversations

    Thanks!

  5. —–BEGIN PGP MESSAGE—–

    qANQR1DBwUwDw8SzV8Tt6L4BEACqlJPMCgbiFk0MGHTouP8NEMyE7OYxiKLJekEd
    dJLb8LAZ31CNYcHnQv6WoZTKbFmFoS2N0Q367hNqxP5+lhoW1xtaLeZtgzI5Aghz
    ukxxC3t6mywOJZaYD4aHocZjHHWJBsjD2W24VX5a0ItclR5SRLiJ1qZLokpHXx2X
    wviubwS+kx3t9Ndr7FkGQZx4W6Iy1zPRh5qKNkudrUHTOdIUVWiZg0e4/p4vu3C8
    HOxxmx8loTdDZKJFDqrBtbxN5dcWZy1QuCrjBI/t2vQAdkGK+7nVwnRZf6BI9Xo6
    epHhr0I9uWwUyKqlmqcA9fwlJeA3O5zrEjM21YKwY7ddEfg+p5tcnUffAmi0qZxM
    G3LIqfcxyd+bL4L7S1vdCmMfLzMZ7WDLK05Rdk1ccvVbj6MaIaHC5PYzpdyatNgm
    ziJIp1jQMeauDM7ddXsIpgm2X8HYK3eipH+UxC54isE3FMVIatZziXQC6fNIrg6b
    QuKMV+UpBHPMZtLTGAoPY/ve/MYgUflTS8k5cheE/hkE+OFsr/Lhk0w5Uaz9VAyp
    wBVRjq4LiMvhiZYKpZkE15w7wE3Hv7+V086/gSI5brUn33Z3b0ZR6Dl3siVF4hFn
    ICAgZqwh6vcEFBVyqMkmIZ+SvKklW21uoRrPbL0GsCdEJZ7rMwusFIrqvsmzg4SD
    BEw1nsnBdPk8Du/ZUGefuorw1JrLOrJnthS9Y4NF/gRueqFg7cGaP/WPS38YursT
    YH4Rloy9h4qKJUevR5jNy3xXFycfcQrdInVGk+oZUcLhbWHA5uYoulr27Rxvl1gK
    HQ24hz4M3XnrImYh0F1KmmbjIG+QWrHlyAfW7rBRwrzqzLLRqTaSeWzMqJSoW9q3
    PY7IKVm791Sx0x5fsg1tNU/cUw9VtoCapsiM4Yq+eJ3usAfhY2bBM+wDbF3Uwuoe
    oL43vmWGimRFiucb1SR2ur+riifkvpaGn1K/F3xv41H9St2Mvra4oapPznR5KRtf
    ccKDKIZvb51E3DSR+xaUbIxaSsDCzHHU5pwokTDSCifDwY1vl+4UsrMxAIEJXqG2
    lzB3mo50+Hmgw1hCPatbihcr3McwHXM7od4awifdA4uY1yBhEOf4Hc9z0G0ZAoKq
    /L5NNiiNg1dzScc0ZFuTh4+fEJ07HMUY6uBV0I/e2a5iQymM4vewgIkD7umvZp/l
    wa9gsGuMSfyCVb4PPbepg7c67ZEGWlVDV1Gpmel/y98JfIccUcPFRSfGPv+iHxQX
    Z8Wh1X12EwUuvH9XONUeaddDcWtlEBXULy6526tLxtRprJcqSjtnYPsJINILpgKt
    nQV5xrStSvXQiLWu/Rd5Bc6ylGMuRchizaCqghN29h7Dzy8R/tNgXaKZ6gbINvRB
    c4I6CZQrTRzsUpQzU+lk6boirWVM1rIzD0vupBJ9mxaubav2g7MjnaHKpw==
    =eYg3
    —–END PGP MESSAGE—–

  6. Matt, To decrypt the message above please replace the weird html hyphens enclosing “BEGIN PGP MESSAGE” with five ordinary dashes on each side. You might have to do the same for “END PGP MESSAGE”.

Leave a Reply

Required fields are marked *.