On Fri, Aug 29, 2014 at 8:28 AM, Dave Cridland <[email protected]> wrote:
> On 29 August 2014 11:45, Marco Cirillo <[email protected]> wrote: > >> The main challenge, at least here, regards communicating with "silos" >> like Google/Google Apps domains and webex hosted domains (cisco.com >> etc). And since my users demanded that with high voice irregardless of >> security I had in the end to (add code to) allow exceptions to grant s2s >> communication with those services. >> >> > That's an excellent point, actually, and one I hadn't addressed in this > note - some implementations have had to gain new features in order to > handle the security landscape changing. I know Prosody, too, has developed > a mechanism for whitelisting domains, so deployments can relax requirements > for Google et al. > There are two extreme camps among operators: Idealists vs pragmatists -- feel free to suggest better labels. Idealists are perfectly fine with dropping interop with Google. They range from "Google is teh evil" to just "I wont make a security exception for Google, if my users don't like it I'll educate them, and they can always use other servers". Pragmatists range from "My users want this, so I'll make an exception for just Google" to "Google interop is important enough that I'd drop XMPP before I'd drop Google". We've had several polite flamewars in the Prosody chatroom around this over the past months and years. Most people are set in their ways, and I've seen almost no-one change positions, but then such is the nature of flamewars. Prosody has whitelisting and blacklisting mechanisms for specific domains. However Google Apps for Your Domain throws a wrench in all that. Allowing GAFYD fundamentally allows downgrade attacks for *all* domains, given an active DNS MITM. -- Waqas Hussain
