Security of multi-user chat rooms

In CoyIM 0.4, support was added for XMPP MUC - multi-user chat rooms. Previously, you could only use CoyIM to chat individually to other people, but with MUC, it is possible to join chat rooms where you can have conversations between a large number of people. Since the focus on CoyIM has always been security and privacy, and since one-to-one conversations are always encrypted if possible, it’s important to clarify how MUC rooms handle encryption.

Fundamentally, the XMPP MUC standard does not support end-to-end encryption of content in chat rooms. This means that in order to follow the standard, we can’t actually encrypt the content of these rooms - that would make it impossible to use CoyIM to take part in chat rooms with people from other clients. Additionally, no good standards exist for how to create group chat with the same security properties as those that CoyIM can provide in conversations using OTR. Simply put, end-to-end encrypted group chat is actually a very hard problem. But since MUC is such a useful feature, we decided to add it as is. But when using chat rooms, you need to remember that these conversations are not protected end-to-end. Instead, the only protection you will have is from the transport security. The server will see everything that people say in a room, for example. For this reason, CoyIM will always warn you about these security properties when entering a room. It could be easy to forget it, otherwise.

XMPP chat rooms also include other features that might have an impact on your privacy and security. One such is that of public logging. Since the server can always see what is going on in a room, it is theoretically possible for the server to publish that information without any say from the users. But the MUC standard also contains a specific configuration requesting that rooms be publicly logged. If this setting is turned on, it is likely that the server will make logs of conversation available on a website. So, CoyIM will also warn you if you are about to enter a room with the setting turned on.

Finally, XMPP chat rooms use the concept of nicknames, so that when you enter a room, you will also choose a nickname which others will see and refer to you by. This nickname can be anything, and doesn’t have any real relationship with your account identifier. In general, people in a room will only see your nickname. They won’t be able to see the real account for that nickname, which gives you a measure of anonymity. However, moderators in a room can always see the real account identifier for you. And a standard setting for chat rooms also makes it possible for anyone in the room to see your real account identifier. Since this is another one of those settings that can compromise your privacy and security, CoyIM will warn you about it before entering a room with this setting.

Overall, the security of XMPP chat rooms is not at the same level as that of one-to-one conversations. It is strongly recommended that you are aware of these issues before you start using chat rooms - especially if you are involved in sensitive issues. Consult your threat model to figure out the right way of handling this situation.