On 28 aug. 2013, at 18:33, Peter Saint-Andre <stpe...@stpeter.im> wrote:
> On 8/28/13 10:28 AM, Matthew Wild wrote: > > On 28 August 2013 17:14, Simon Tennant <si...@buddycloud.com> > > wrote: > >> I'm attempting to gather the details in one place on how to > >> secure XMPP servers C2S and S2S traffic: > >> > >> http://wiki.xmpp.org/web/Securing_XMPP > > > > Only feedback so far: you might want to clarify the "single > > domain"/"multiple domain" thing - DANE is not a requirement for > > securely hosting multiple domains on a single server. I think that > > might confuse people. > > It's a wiki. Feel free to edit. I plan to. :-) > > But yes, you don't need DNSSEC to handle multiple domains. In fact if > you host just a few domains you could potentially get proper certs for > all of them. It's when you host a lot of domains that you need some > other solution. DANE/DNSSEC is great for that, or will be when it is > more generally available, but IMHO we might need to wait *years* for > that to happen. Thus the work we've been doing on POSH as an interim > solution: > > http://datatracker.ietf.org/doc/draft-miller-posh/ > > See also the domain name associations spec: > > http://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/ > > Matt Miller and I plan to update both of those by the end of next week. > > Peter Hello! Not completely unrelated to this topic, the past couple of days I've been working on a tool to test the encryption settings of XMPP servers, similar to the test offered by ssllabs. It applies the same grading algorithm as ssllabs and I'm working on adding all the warnings and diagnostics provided by that test, and some more specific to XMPP. The tool itself can be found here: https://bitbucket.org/xnyhps/xmppoke But it is still rather unpolished. I have used it to test the encryption used by the list of servers on xmpp.net and published those reports: c2s: https://blog.thijsalkema.de/blog/2013/08/26/the-state-of-tls-on-xmpp-1/ https://xnyhps.nl/~thijs/xmppoke/2013-08-26/scores.html s2s: https://blog.thijsalkema.de/blog/2013/08/28/the-state-of-tls-on-xmpp-2/ https://xnyhps.nl/~thijs/xmppoke/2013-08-28/scores.html Conclusions are that many offer weak encryption. SSLv2 was deprecated before the first Jabber server was written and is known to be badly broken. Many servers offer DES, or even EXPORT DES, which can be cracked in seconds nowadays. Nearly all servers respect the client's ordering of ciphers, meaning a badly configured client can end up using those ciphers (and yes, I know Adium is not free of blame here). The script tries to determine the cipher a specific client will use, though this should be taken as an estimation. Specific versions of other components might influence the results too (version of OpenSSL/NSS/etc. installed). While I think offering this as a website like https://ssllabs.com a great option, setting that up securely would be a bit more work then I'm willing to put into that. The script can take a couple of minutes to run (it has to open around 30 connections) and with SRV records potentially pointing at any port on any server, this would be open to abuse. So for now I can test a server manually and publish the report, I will try to scan the xmpp.net list every couple of months and those that want to can grab the code themselves. I hope this helps! Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
