The only way in the current XMPP spec to establish a secure connection
with an XMPP server is StartTLS.
Unfortunately, there is no way for the server to enforce a policy of
mandatory TLS connections, because a MiTM can easily alter the
communication between client and the server that advertises this.
So, secure connections in XMPP rely entirely on the client settings. A
setting of 'try encryption, but fallback to cleartext' is not advisable,
because it is easily thwarted by a MiTM. This setting for StartTLS has
been removed from Thunderbird for this reason, because of numerous cases
where this attack has come to light in the real world.
how this relates to jitsi:
As far as I can tell from my tests, the setting in jitsi is exactly
this: 'try starttls, fallback to cleartext'. This is particularly
problematic because there is no way to configure jitsi to require
encryption. The result is that it is currently impossible to ensure a
secure XMPP connection in jitsi.
(1) The default setting for XMPP starttls should be 'require
encryption'. The authentication stanza should NOT be sent before TLS has
(2) If you must, add the option to totally disable XMPP connection
encryption. At most, there should be two options: "encryption required"
and "encryption disabled" -- again, because "try encryption" is so
easily thwarted as to be effectively meaningless.