Dear fellow operators, We at jabber.at would like to announce that we will exclusively support forward secrecy[1] enabled ciphers starting *October 1st, 2015*. Servers that do not support any of those ciphers by then, will not be able to federate with us until they upgrade.
We already tested this setup, and there were very few users with connection problems (e.g. with a 7 year old Pidgin). The biggest problem are very old servers that use far outdated software. For a "secure network", that's just sad. You can test if you're ready at https://xmpp.net. If you support any forward secrecy cipher, you are fine. If you use the versions of ejabberd and Prosody that ship with the current Debian Stable or Ubuntu LTS, you're fine as well. If you use e.g. Debian Squeeze, you definitely should update. For everyone, here's a short reminder about current best security practices (none of them have caused *any* problems with our users!): * Enforce encryption for both c2s and s2s connections. * Disable SSLv3 (very broken), enable TLSv1.2. * Disable RC4 ciphers (also very broken). * Have a valid 4096 bit certificate with at least a sha256 signature. greetings, Mati (from jabber.at) [1] https://en.wikipedia.org/wiki/Forward_secrecy -- twitter: @mathiasertl | xing: Mathias Ertl | email: [email protected] I only read plain-text mail! I prefer signed/encrypted mail!
smime.p7s
Description: S/MIME Cryptographic Signature
