To answere this question, I have to write a bit more about cybersecurity.
First no system is 100% safe. Even a System, not connected to the Internet, locked in a room with a fingerprint sensor to login can be hacked. It’s all just a matter of time and effort.
Hacking a system is quite easy, if you know how. The weakest part is always the person which works with those systems. You know way more about a friend than about a stranger. And if you want to hack a friends facebook account you maybe succeed if there are questions like “What was your mothers maidens name” or “What brand was your first car”. Even the facebook “Write down the names of these friends” can be solved if you know the person good enough and his friends. That’s called “Social engineering”.
But also without social engineering it’s not very difficult to crack a system and gain access. Read the news. Heartbleed, Poodle, NSA and so on. If someone really want to find a way, there will be one. Generate a 100 digit password, use upper and lower cases, numbers and spechial signs like “!%$&. Even this is crackable with the so called “brute force” attack. Brute force simply tries all possible combinations until it finds the right password. This can take up years, decades or centuries, but the success rate is 100%. And we all know, PCs are getting faster and faster.
But now back to the question “How safe is IAF?”
It’s as safe as it can be. IAF uses SSL with a very huge certificate (4096bits) to encrypt the HTTPS and Jabber traffic. The mailserver also uses such a certificate. The passwords of your accounts are getting hashed and salted (I’ll explain this later).
It’s all about time and effort. – Means: IAF is encrypted. but every encryption, every password and every key can be decrypted or cracked. But why should anyone do this? If you choose a long password, the brute force attack maybe needs 10 years to break your password. Why should anyone invest 10 years (or a a few million dollars for the a serverfarm to bring it down to maybe 6 month) just to break into the email account of a private person and read casual mails? I am hosting mails for “normal people” I provide a mailservice for “casual chatting”.
IAF provides a very good security. Encrypted conections, encrypted storage and if you use OTR while chatting, its a plus for Security. Yes, the IAF.org server faced a few attacks in the past. But most are casual attacks of china-bots trying to find an open FTP account or an unsecured FTP account.
My suggestion to you is:
- Use Pidgin together with OTR or PGP
- Use TOR