Questions regarding Openfire, mainly regarding security


I work for a not for profit orginization and the IT dept is looking for something to use in the office for text communication and are considering Openfire. Before we can use it the security admin wanted to now a few things about it and despite my best effort I am having trouble finding those answers.

Does open fire allow for full encryption? We cant have any clear text passing through.

Can all communication be logged?

Does it allow file xfer, and if so can that be disabled?

Does the application receive timely updates to vulnerabilities?

openfire can be configured to require encryption during transport to and from the server.

Communication can be logged using the monitor plugin.

file xfer is usually a client p2p type protocol…so blocking this may not be achievable

openfire devs do a great job at updating and patching. having said that, please keep in mind this is an opensource project. The devs have regular jobs, and the devs volunteer time when they can.

Hey Charles,

I am still learning a lot about how the Spark client works but I will tell you what I understand.

Spark does allow for encryption and for logging of conversations. However I have not used either in my environment, so unfortunately, I’m not sure about the details.

File transfers can be disabled through the Administrator console.

As far updates goes I am not really sure how often there are security updates. I know that it seems like the jump from Version 2.6 to 2.7 was very quick. My understanding is that everything is done from volunteers working on their own time, so time frames can vary i suspose.

Like I said I am very new to the community and the Spark client as a whole, but it is becoming a very handy for our organization!

I hope that helps


Thanks for getting back to me so quickly. Do you know if it supports credentialing?

yes…you can use an internal database for credentials, or tie it to your current ldap/ad

Does it allow file xfer, and if so can that be disabled?

Does the application receive timely updates to vulnerabilities?

As someone mentioned, if you use Spark as a client you can disable file transfers with Client Control plugin.

There are many filed (and probably many unfiled) security vulnerabilities in the bug tracker. Almost all of them (if not all) refer to CSS, XSS and that kind of holes in the Admin Console. So, unless your admin is browsing fishy pages while having Admin Console opened, then it is a minor vulnerability. Also, using it inside the organization only should lower the chance of being hit by that. But in general, yes, it is a volunteers-only project and if something critical pops up, it can take some time to get fixed.