On 1 nov. 2013, at 13:33, Moonchild <[email protected]> wrote: > In addition, only including score grade "A" is a little short-sighted, IMHO, > as server operators may be very good admins running a secure server while > not getting a grade A (for example by offering potentially weaker ciphers > for extended compatibility with clients - the test seems to pick the lowest > available to grade servers on). Pushing specific servers to the foreground > based on their score is a breeding ground for favoritism which I think we > should avoid.
Sorry, but I don't buy it. To score less than an A, a server would have to do at least one of the following: 1) Enable cipher with less than 128 bit keys (DES, EXPORT-*, not 3DES, which is assumed 168). 2) Use an RSA keypair with less than 1024 bits. 3) Enable SSLv2. 4) Use an untrusted or invalid certificate. We can debate about 4) for a long time, but 1), 2) and 3) have been bad practices for at least a decade, some even longer than Jabber exists. I don't buy that there is a client out there that doesn't support at least AES or RC4, 1024 bit certs or TLS 1.0. Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
