[jdev] Securing XMPP
I'm attempting to gather the details in one place on how to secure XMPP servers C2S and S2S traffic: http://wiki.xmpp.org/web/Securing_XMPP The DANE stuff is all pretty new and I'm struggling to find working examples of how we'd ensure that servers and DNS are setup to only use SSL. Is there someone more knowledgeable on the topic who could help fill in the details on http://wiki.xmpp.org/web/Securing_XMPP ? We're missing details for - Ejabberd - Tigase - Openfire Please add them Once we have a set of instructions, we can move onto the more exciting phase 2 of the Securing and Encrypting XMPP project ;) S. -- Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours: goo.gl/tQgxP ___ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org ___
Re: [jdev] Securing XMPP
On 28 August 2013 17:14, Simon Tennant si...@buddycloud.com wrote: I'm attempting to gather the details in one place on how to secure XMPP servers C2S and S2S traffic: http://wiki.xmpp.org/web/Securing_XMPP Only feedback so far: you might want to clarify the single domain/multiple domain thing - DANE is not a requirement for securely hosting multiple domains on a single server. I think that might confuse people. Regards, Matthew ___ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org ___
Re: [jdev] Securing XMPP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/28/13 10:28 AM, Matthew Wild wrote: On 28 August 2013 17:14, Simon Tennant si...@buddycloud.com wrote: I'm attempting to gather the details in one place on how to secure XMPP servers C2S and S2S traffic: http://wiki.xmpp.org/web/Securing_XMPP Only feedback so far: you might want to clarify the single domain/multiple domain thing - DANE is not a requirement for securely hosting multiple domains on a single server. I think that might confuse people. It's a wiki. Feel free to edit. I plan to. :-) But yes, you don't need DNSSEC to handle multiple domains. In fact if you host just a few domains you could potentially get proper certs for all of them. It's when you host a lot of domains that you need some other solution. DANE/DNSSEC is great for that, or will be when it is more generally available, but IMHO we might need to wait *years* for that to happen. Thus the work we've been doing on POSH as an interim solution: http://datatracker.ietf.org/doc/draft-miller-posh/ See also the domain name associations spec: http://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/ Matt Miller and I plan to update both of those by the end of next week. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSHiZRAAoJEOoGpJErxa2pK5UP+QG+VxXvRVAVTWyBwlQ3vTXw Ulp2N4i2HBOiN0zuAfoy1SfjXaOxkpg7mWD7IQaPzUvZx/5Cup2HJ6k1D3B5I5SJ 7l+pXRdZXBtu5+SCa4USm9bC4rJyXVvPdIS82itcaSUEgGPOrPBusffTEQIGfw/n vHRixNtLIM50C3WV1sLYkY6wMGA1BdEP4qbjmaXF0A7viy9cSMFc5lVIBKlOAeEb 7lD2m9jhU/e1rFtiGISmGGawk9hpjMUfehcI8WmvrUvIt6b6WgC8XZRePXB7S56k z7mL/4CKr++Fe0VCKf97LMWuQPVSKd4O0XzmRqErh8X71xZpTDlCeeKv3b7BuyE8 d9wNVwt7GWznrI3R2SgXNYGyOz/kubtsuihDp0tBsE2Tk58kb+MwikpPgDjahTkp fGeM+IbBsOrgvYRI12utvBDKEIpmzYsjAphOuvug0GCtXrvGd2Qvfx+oiXM8keLp V5FD81tkyIaahKuqWT6RfOkcbVX5QqzxLoZ4gB7GbyL1L+2lDDam2+glcud/vs96 3fQdeJOCpXjMVgtxqQc0OPoKYvfvHUz3I8cLyfDwQVGNHTaGIndYuuVHO+Q15RFw 2xMXnP7s2FE+VDf6OmxBr78daScB0if6Jc9jJeXwa7yfwjxfFVK6vzjS9s4BDlUA K7qoLp1c/SWWVZryUYkk =l5mH -END PGP SIGNATURE- ___ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org ___
Re: [jdev] Securing XMPP
On 28 aug. 2013, at 18:33, Peter Saint-Andre stpe...@stpeter.im wrote: On 8/28/13 10:28 AM, Matthew Wild wrote: On 28 August 2013 17:14, Simon Tennant si...@buddycloud.com wrote: I'm attempting to gather the details in one place on how to secure XMPP servers C2S and S2S traffic: http://wiki.xmpp.org/web/Securing_XMPP Only feedback so far: you might want to clarify the single domain/multiple domain thing - DANE is not a requirement for securely hosting multiple domains on a single server. I think that might confuse people. It's a wiki. Feel free to edit. I plan to. :-) But yes, you don't need DNSSEC to handle multiple domains. In fact if you host just a few domains you could potentially get proper certs for all of them. It's when you host a lot of domains that you need some other solution. DANE/DNSSEC is great for that, or will be when it is more generally available, but IMHO we might need to wait *years* for that to happen. Thus the work we've been doing on POSH as an interim solution: http://datatracker.ietf.org/doc/draft-miller-posh/ See also the domain name associations spec: http://datatracker.ietf.org/doc/draft-ietf-xmpp-dna/ Matt Miller and I plan to update both of those by the end of next week. Peter Hello! Not completely unrelated to this topic, the past couple of days I've been working on a tool to test the encryption settings of XMPP servers, similar to the test offered by ssllabs. It applies the same grading algorithm as ssllabs and I'm working on adding all the warnings and diagnostics provided by that test, and some more specific to XMPP. The tool itself can be found here: https://bitbucket.org/xnyhps/xmppoke But it is still rather unpolished. I have used it to test the encryption used by the list of servers on xmpp.net and published those reports: c2s: https://blog.thijsalkema.de/blog/2013/08/26/the-state-of-tls-on-xmpp-1/ https://xnyhps.nl/~thijs/xmppoke/2013-08-26/scores.html s2s: https://blog.thijsalkema.de/blog/2013/08/28/the-state-of-tls-on-xmpp-2/ https://xnyhps.nl/~thijs/xmppoke/2013-08-28/scores.html Conclusions are that many offer weak encryption. SSLv2 was deprecated before the first Jabber server was written and is known to be badly broken. Many servers offer DES, or even EXPORT DES, which can be cracked in seconds nowadays. Nearly all servers respect the client's ordering of ciphers, meaning a badly configured client can end up using those ciphers (and yes, I know Adium is not free of blame here). The script tries to determine the cipher a specific client will use, though this should be taken as an estimation. Specific versions of other components might influence the results too (version of OpenSSL/NSS/etc. installed). While I think offering this as a website like https://ssllabs.com a great option, setting that up securely would be a bit more work then I'm willing to put into that. The script can take a couple of minutes to run (it has to open around 30 connections) and with SRV records potentially pointing at any port on any server, this would be open to abuse. So for now I can test a server manually and publish the report, I will try to scan the xmpp.net list every couple of months and those that want to can grab the code themselves. I hope this helps! Regards, Thijs signature.asc Description: Message signed with OpenPGP using GPGMail ___ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org ___
Re: [jdev] Securing XMPP
28 aug 2013 kl. 18:33 skrev Peter Saint-Andre stpe...@stpeter.im: DANE/DNSSEC is great for that, or will be when it is more generally available, but IMHO we might need to wait *years* for that to happen. Peter, If you keep repeating this statement it will become true... I don't think we're talking so many years here, but it all depends on which TLD you're using. In Sweden we've had DNSsec support in .SE for many years, we have patches for OpenSSL for DANE and are starting to look at code. I think you should modify this statement that one might need to wait years for DANE/DNSsec to be implemented in all TLDs. My 5 öre. :-) /O ___ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org ___
Re: [jdev] Securing XMPP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/28/13 12:42 PM, Olle E. Johansson wrote: 28 aug 2013 kl. 18:33 skrev Peter Saint-Andre stpe...@stpeter.im: DANE/DNSSEC is great for that, or will be when it is more generally available, but IMHO we might need to wait *years* for that to happen. Peter, If you keep repeating this statement it will become true... I don't think stpeter is that powerful. ;-) I don't think we're talking so many years here, but it all depends on which TLD you're using. In Sweden we've had DNSsec support in .SE for many years, we have patches for OpenSSL for DANE and are starting to look at code. And our friends in .jp don't even have DNS SRV support yet! I think you should modify this statement that one might need to wait years for DANE/DNSsec to be implemented in all TLDs. It's not just the registrars -- it's the resolvers, the nameservers, the operating systems, the application software, the clients, the servers, the distros, etc. There are a lot of moving parts involved. Just my centigram of silver. ;-) Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSHqN2AAoJEOoGpJErxa2p8qgQAJDb9+irrLk2s56xXSp0ZoW9 o/IxgeBQNu6m3Ov0fKvuA8KBVUBBdyJw+b1m0+xQDguhrKz0RQQFva7lV91g1uq/ WDq5cQnKufX8lR4KXIiEZ0qaH7fh7P9LWMZSICTRMvb60DaAsFZEmUL79Y9sP/KS 4YpyihVKuQ+e8s7bA9l4TY9jbZh4UUoEtRkeKVh8NJlqG2LHItIV7M9y/gseXyBQ 6CNYn1r48h8YzJATcdE7sZqBwjj2S8tU0tHnA92IWBvKPKF9cBGJqXl11kPqF+7C x2qzBqIkAmsONOqLB/XiAKRNM65qG1/tV1ZNWA5njD9aMdj63AadB2/gUrqZMjiT fInZju3GJidqX8/m0mF/DpmGAymxRDTEBeFf1qCX4BPrDYtcTJHJkRv63erTnhsl 3h4oh8TCPks1N01y2YfwzeK1zfUitqEH4E6oFcXrZdIwO2u40eYsjpQnLU/spnUs N9zZ27w/26CxEAuI/rtK3xToDA93S71gLs/AJJlv/KF6x+Z4EUwAS1qxhuYDA/k0 DKNo0G9/YBHMgoPbK0YDS20bW/ehO1zEnHtXW337OzCv855JJ2OIJ6HEDwgfxaii HziOzfj77OQy7zMieLRURCNaIsOa6Fgutv/Jq2Ylf26yiNwDxL0tzM4XbHnieW5j 50V2cfdC3lZi4z2BN/l6 =toIw -END PGP SIGNATURE- ___ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org ___