I'd say you take IM far too seriously if you actually worry about stuff like that, but I can understand your concern.

Secondly, if you don't think there's already a "man in the middle" when you're connected to AIM, MSN, and others "directly", you're just fooling yourself... unless your packets take only one hop to reach their servers. If you're that worried about something like a man in the middle attack on an IM session, well, you'd better turn off your PC.

I can't offer you much else here except for my word, which is most likely worthless to you, but I'll give it to you anyways.

Yes, your IM passwords are stored on the server so that the gateways can connect you to your IM services. No, they are not stored in plain-text, but as an encrypted hash in a private MySQL database. As the admin, I can change the password you told the IM gateway to use to connect to your service, but I cannot retrieve the original unencrypted password. We offer encrypted connections to the Jabber server.

As far as sniffing your traffic is concerned, the Jabber server offers (as most others do) various levels of logging. Warning, errors and general info (so and so connected) are logged by default by the Jabber server. Another level, debug, is also available, which shows (as far as I know) all traffic being sent in and out of the Jabber server in plain text.

Yes, this includes any and all messages that happen to be flying by (and is the only logging level to do so).

Because of the huge volume of data that's generated by debug logging, it is off by default and remains off unless I need to figure out why something isn't working, during which times I turn it on for small bursts while I test (such as the possible Yahoo message problem we might currently be having). With 138 users, around a third of which are active at any given time, it's pretty much the only way I can do any debugging on our side. (I'm not going to totally shutter the service while I do that.)

I assure you, I'm really not interested in what you ate for dinner, what your mom thinks was the reason the Raiders lost on Monday night or if you think Bush is an ******* and I'm certainly not interested enough to sit there reading debug logs all day to find out. (And if you're sending anything more sensitive than that over IM, you might as well not worry about me intercepting anything because it's clear that you just don't care about what you're sending anyways.)

(In the interest of being open with you, the Jabber server that Jablet runs on is Openfire 3.4.1 with IM Gateway 1.2.0. Take a look at the code if you're interested.)

But, of course, I'm just another nameless faceless internet user that you don't know swearing to never do anything bad with your data. I don't blame you if you feel you can't trust me and that's fine. I can't promise you that your traffic could never be sniffed once it leaves my servers either. All I can give you is the choice to use it or not.

If you have any other questions or concerns, feel free to ask me at any time, either here or by e-mail and I'll be happy to answer.

(And just so that I'm not quite as nameless and faceless, that's my face used as my profile picture here, and let's sign this with my real name too.)

- Jason Carter