On Thu, Nov 7, 2013 at 12:47 PM, Alexander Holler <[email protected]>wrote:
> I didn't speak about production environments. The manifesto affects all > users and a lot of them don't (have to) care about production environments. > > By users we mean end-users, ie, users on your server? I think client platforms quite clearly count as production environments - they are in production - but luckily consumer-grade operating systems generally keep themselves up to date. If you've a particular platform that concerns you, I'd appreciate knowing, but as far as I know, all up to date consumer-grade platforms support TLSv1.2 and PFS. One exception, at least for TLSv1.2, are the older Android phones and tablets (pre-4.1). But as I recall (not got it in front of me) the manifesto says to prefer TLSv1.2, but still support TLSv1.0. > E.g. my server only has to serve my needs and nobody else ones. So I can > make a lot of compromises up to the fact, that I don't care if the NSA or > GHCQ would be dumb enough to snoop on my communications which happens over > my XMPP server (which isn't that much). > > Your server is surely in production, isn't it? Production means "deployed for everyday use", in my mind. In any case, the attack vector here isn't that the NSA or GCHQ are targetting you specifically. It's that they're targetting everyone, and keeping that information around in case they need it later. This is why we're suggesting encrypting everything, and with PFS, so that it's worthless, and so they *need* to target you to snoop on you. Dave.
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
