On 19 nov. 2013, at 14:07, Ralf Skyper Kaiser <[email protected]> wrote:
> Hi, > > > On Tue, Nov 19, 2013 at 12:29 PM, Thijs Alkemade <[email protected]> wrote: > > On 19 nov. 2013, at 12:58, Ralf Skyper Kaiser <[email protected]> wrote: > > > Hi > > > > > > On Tue, Nov 19, 2013 at 11:37 AM, Simon Tennant <[email protected]> > > wrote: > Automatic key pinning works for SSH, because private keys are rarely changed > and people are more tech-savy than average XMPP users. If you start doing this > for XMPP, you'll see a lot of false positives. I doubt you can convince a > large part of the network to start using self-signed certificates valid for a > long time. Every time a user who doesn't understand the security implications > removes a pin, the security of the system is weakened because it makes MitM > attacks easier. The manifesto requires software to be able to inform users > when a certificate changes and I think this is the right approach to automatic > pinning. > > By 'average XMPP user' you mean 'average XMPP Server admin' I think. > > The user only sees a new certificate if the admin chooses to create a new key > on the same domain name. > > The average XMPP server admin is tech-savy. I think I would go as far as > saying that the average > XMPP server admin is more tech-savy than the average apache admin - and > apache/web-browsers > are going to support pinning soon. No, I mean average XMPP user. I claim that the percentage of SSH users that know what it means to remove a line from ~/.ssh/known_hosts is higher than the percentage of XMPP users that will know what it means to do the equivalent thing in their client. > There are enough fallbacks to help the tech-unsavy admin if he looses the key > and has to create a new key: > - Can use a new domain (jabber-1.mydomain.org becomes jabber-2.mydomain.org This breaks all your presence subscriptions. > - Can ask all users to reinstall the jabber client If a server admin would ask me to do this, I’d be looking for a different server. This would make users lose so much other data too, they'd be pissed. > - Can ask all users to manually remove the pinned key from the client We should make sure this is needed _very_ rarely. > - Can use 'reverse fingerprinting' where the user can remove an old pinned > key by entering the fingerprint of the new certificate. How are they going to securely obtain the new fingerprint? > - Backup Key (requires protocol change?) Yes, this comes back to the point of the proposed XEP: only pin if the server admin tells you you should pin and when the admin proves they have backup measures set up. :) Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
