I see that there are some old messages from a few years ago regarding encryption of file transfers through openfire.
However, there doesn’t seem to be any recent news on this front.
Are file transfers still unencrypted? I believe Spark/Openfire use Socks5 proxy for file transfers (port 7777).
I know that OTR doesn’t support end to end file transfer encryption (only chat), but I believe there are 2 possible ways around this:
Enable SSL/TLS on the socks server at port 7777 on the opnefire server (is this possible?).
Take advantage of XTLS and incorporate it into openfire and smack, like Gajim has done with its jinlge encrypted file transfer.
Solution 1 may be the easiest to implement although not totally secure since the server can always intercept the files. Still, it is much better than having your sensitive files transit in clear text through the internet.
Solution 2 would be ideal since it allows for end to end encryption with no worries about MiTM.
Anyone know what the status and/or plans are in this regard? I really love openfire and smack but, for me, secure file transfers are a must.
It doesn’t make much sense to encrypt chat but leave file transfers in the clear.
Yeah, I completely understand you’re short on developers.
Unfortunately my programming skills suck so I can’t really help out much beyond the conceptual ideas of how to implement it.
Since I believe that file transfer encryption is a must have feature for any serious user of openfire (specially the business segment), I still think this should be bumped up on the priority list.
I see there are similar messages in the forum from 2009 but there doesn’t seem to be any progress at all in this field.
I think that a workable temporary solution may be achieved by using Stunnel or something similar to encrypt (through TLS) the file transfer proxy on port 7777. Better yet would be a built in openfire option to force all file transfer traffic through a TLS proxy, much like you already do with XMPP messages.
Has anyone tried this yet, or does anyone have experience playing with this or a better suggestion?
To bump anything on a priorities list, this list should exist in the first place. As there is almost zero developers working actively on Spark, there is no priorities, especially for new/complex features. Only a few bugs are fixed from time to time.