Hi On Tue, Nov 19, 2013 at 12:26 PM, Ashley Ward <ashley.w...@surevine.com>wrote:
> On 19 Nov 2013, at 11:58, Ralf Skyper Kaiser <sky...@thc.org> wrote: > > This attack and vulnerability in the TLS authentication has been > recognized by all major browser manufactures. Pinning (on top of DNSSEC) is > being implemented as we speak. Why jabber tries so hard of being less > secure than the web browser is a mystery to me. > > I guess one of the issues is that XMPP, being federated, is far more > complicated than the straightforward client-server of the web. I’m far from > an expert on these things but some kind of certificate pinning would > require some extra xmpp protocol would it not? Plain DNSSEC and DANE could > be implemented today though so my view would be let’s make sure we’re using > the best we can do today in imlement the silver standard, and then have a > really good discussion about how to implement the gold standard > (potentially certificate pinning, but even this has drawbacks). > Pinning does not require any protocol change in its simplest form. It can be done with just minor changes on the client side. > For users that absolutely require secrecy then they can still use e2e > encryption today. > Does not help as your entire buddy list and meta data is not protected by OTR or other jabber plugins. > > Let’s implement what we already have standards for today as a good start, > and then, once that’s implemented, we can look at the gold standard. > Otherwise we risk delaying for no really good reason. > I agree. No single security feature should delay the deployment of other security features. But let's add it to the manifesto so that we have a road-map to work towards. regards, ralf > > — > Ash > _______________________________________________ > JDev mailing list > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: jdev-unsubscr...@jabber.org > _______________________________________________ > >
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________