On Sat, Sep 14, 2013 at 08:49:09PM +0700, Aryo Sandiyudo wrote: > Interesting blog post, this will be a tremendous input for people who > manage a XMPP server, XMPP server developers and XMPP client developers. > Good job!
A *very* interesting, and also frustrating, blogpost indeed. I am the admin of jabber.at (operators might also take note of https://list.jabber.at for another list of jabber servers ;-)), one of the servers getting the top score of 93/100 in both c2s and s2s security. The post is frustratig because: I didn't do anything really that special to set up our server (apart from an up-to-date ejabberd version, but even Debian Stable is only a few minor points behind). No complicated cipher configuration or anything, its a normal Ubuntu 12.04 LTS installation. Why do almost all other servers score so much worse, even those with valid certificates? According to that list, 30 Servers use Linux 2.6.32. This version ships with Ubuntu 10.04 and Debian oldstable, so I guess most of these use these two versions. So those could be explained with old versions of OpenSSL. Together with the many outdated certificates, this gives a not-so-good picture of the state of the XMPP network. Please update your systems! Update your certificates! I guess I will do a blog-post on a more secure setup. I hope I contribute to a more secure XMPP network. greetings Mati -- I only read plain text mail! I prefer pgp|gpg signed & encrypted mails!
signature.asc
Description: Digital signature
