-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/12/13 10:51 PM, Steffen Larsen wrote: > Hi Peter! :-) > > On Jul 13, 2013, at 4:23 AM, Peter Saint-Andre <[email protected]> > wrote: > > Hi Matthew! :-) > > On 7/12/13 5:34 PM, Matthew Wild wrote: >>>> On 12 July 2013 22:06, Peter Saint-Andre >>>> <[email protected]> wrote: >>>>> Really it's a crime that we don't have ubiquitous s2s and >>>>> e2e encryption by now >>>> >>>> As you may know, we thought very seriously about making the >>>> default behaviour for the next release of Prosody to require >>>> trusted and valid certificates on all s2s connections. >>>> Ultimately we decided against it, for now. But I remain >>>> optimistic that we shall do so in a future version (perhaps >>>> after making a POSH verification module available). > > Sounds good. I do think we're making progress, although I'm > frustrated that it's as slow as it is. > > >> +1 even though I do nothing my self, so I can blame my self as >> well. :-) How can I actually help out? reading up on POSH and >> friends? > > >>>>> but I suppose in fairness to us these are hard problems... >>>> >>>> Name another protocol as widespread as XMPP that has solved >>>> them so far...? :) > > True. > >>>> At least I think we're on the right track, but with things >>>> like this I think it takes baby-steps. We have come a long >>>> way, many clients and servers require encryption on c2s now >>>> which simply wasn't true a few years ago. > > Yes, I am hoping / planning to do that at jabber.org before too > much more time goes by. But one thing at a time. > >>>> PS. Anecdotal, but currently on my server: >>>> >>>> 40 "secure" incoming s2s connections (trusted+valid >>>> certificate) 37 encrypted with invalid/self-signed >>>> certificates 10 not encrypted at all >>>> >>>> 3 of the unencrypted connections are from the personal >>>> servers of prominent members of the XMPP community (you >>>> [hopefully] know who you are). A further 2 are domains I'm >>>> responsible for (and a server upgrade is already scheduled to >>>> fix them), the remaining ones are gmail.com and Google-hosted >>>> domains. > > Hmm, those prominent members of the XMPP community need to get > their act together. ;-) > > In general, one thing that might help is a very clear HOWTO on > certificate provisioning, installation, and testing. That way, > when more domains start requiring secure s2s we'll have a friendly > manual at which we can point operators. > >> Good idea. Its easy to setup XMPP servers, but certificates etc. >> are always pain in the b...
Yes, and it's a PITA that I need to fumble with my keys in order to walk into my house. Security isn't easy. :-) I do think that a friendly XMPP-certificates HOWTO would help. > Also helpful might be an automated service (xmpp.net?) that would > give you a report about your domain's s2s security status, if you > opt in of course. > >> +1 That would be cool! OK, that sounds like a fun project. ;-) Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJR5aDQAAoJEOoGpJErxa2pvhQP/AwQYfDYoxF71eQOQ2bNvoXU QaqrGb9vowZonn0JMxxATl9VSGM075eWkYR6I4JRbMzs6f3whmEDYE25+symHKeE 3zcbHYzNffgMcZi/asCHbEbtb0oSLLS6zHPWQn1UKC3m4pUBldGTK7fMXDGiaH4J o8xWwGaEa3aoL2/C4odQSILx1h6pjt4WmiWokGR0289kwMAWWk0f5YaC8DqUMILb gnVJsc1EJzd+RMz7hc3BE8FTopvbzqpDDtkJbtVBk3CXXv78BOQT8ijVCGa6WJZG f/csiF/vYbCtr3iTgp08ZFZGIq4R+mG/D9DDTHXXC5K7sVD/XstidBnOLjGgIgfj RCKX5tYcnqSFsjTVQVSsGIXqWUHmxNR6BFr2Xc9yWAFu9OHxd7lesu6WwtiJ6WBF sqtN6X4aUIdY3mT7TxL7nQ5KD8BJ1D+uJganEmJC7aFGwlJ2ZDASHV/163U1LJ9A glHeRYp+VEYkdCqM+u5opYpWUBIRnX9grAQiKjDD22cLVWBoJZrmWwMkeVkOD/Yo h58xiG48EZkRYMxxv5SRJJFhfZW0N/8RFw1JTI+EmICCyYNYOmPGy7uEkY+a53H7 /2Lp3LByjkMZflSfpmE16gxWosHcXDeKWAVjXa5nVp/8O2CVIGtXgnk0E+eN/EQS 9ohOalvnCPtHsKuyZiLB =sKlP -----END PGP SIGNATURE----- _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
