I’ve run into some confusion over the distinction between encrypted chat sessions and OTR chat sessions. I am running Openfire 3.4.3 with the following “Server Settings: Security Settings”:
Client Connection Security: Custom: Old SSL Method “not available”, TLS method “required”
Server Connection Security: Required (though we don’t run federated Openfire servers)
My understanding is that these settings should mean that all connections between clients and the Openfire server are encrypted. Thus, an eavesdropper on the network cannot see the contents of the chat sessions. An eavesdropper on the Openfire server itself can see the contents, however.
On the other hand, using OTR between two clients would mean the connection between the clients is encrypted end-to-end. Thus, an eavesdropper on the network or at the Openfire server cannot see the contents of the chat sessions.
Are these points correct?