Re: [Standards] Fwd: [Uta] STARTTLS vulnerabilities
Am Mittwoch, dem 11.08.2021 um 14:25 -0600 schrieb Peter Saint-Andre: > Too bad we didn't stick to our guns in 2003 and insist on two ports > instead of one, but STARTTLS was the recommended approach back > then... > I am still not convinced the STARTTLS is ultimate evil. SMTP had way too many bugs in its implementation over its history, still no one considers it evil. And that's just yet another of those bugs. And considering network transparency becomes bigger rarity nowadays - port multiplication is a must. And we are yet to see how many of similar bugs will be in alpn/sni implementations. --rr ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] Proposed XMPP Extension: Disco Feature Attachment
Le 2021-08-11 17:35, Jonas Schäfer a écrit : Hi goffi, Thanks for proposing this. The council has today vetoed the advancement for this ProtoXEP to Experimental, but I'd like to give you some feedback because I think the problem you're trying to address is real. The bottom of this email contains two recommendations from me which may allow us to solve the underlying issue. [SNIP] Hi Jonas, thanks for the long explanation, and actually I agree with most of the arguments. It's not a problem that this proposal is rejected, all I want is to see this problem tackled and my main goal was to make things move (hopefully they are). I have not the time right now to work on new protoXEPs for disco items and RSM, or patches where necessary, so if somebody wants to jump in, please do. Otherwise I may propose something at a later time. Kind regards Goffi ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] Fwd: [Uta] STARTTLS vulnerabilities
We've had this discussion before but for context in this thread: I ignore that as it doesn't make any sense (and follow the second thing and just decide myself how I want to connect). I know at least one or two others do to, but I don't know which strategy is more wide spread. —Sam On Thu, Aug 12, 2021, at 09:16, Holger Weiß wrote: > | Both 'xmpp-' and 'xmpps-' records SHOULD be treated as the same > | record with regard to connection order as specified by RFC 2782 [3], > | in that all priorities and weights are mixed. This enables the > | server operator to decide if they would rather clients connect with > | STARTTLS or direct TLS. However, clients MAY choose to prefer one > | type of connection over the other. ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] Fwd: [Uta] STARTTLS vulnerabilities
* Sam Whited [2021-08-11 17:21]: > In my experience it's widely supported these days. At least for c2s, yes. > I also don't know if clients prioritize these records over starttls. XEP-0368 says: | Both 'xmpp-' and 'xmpps-' records SHOULD be treated as the same record | with regard to connection order as specified by RFC 2782 [3], in that | all priorities and weights are mixed. This enables the server operator | to decide if they would rather clients connect with STARTTLS or direct | TLS. However, clients MAY choose to prefer one type of connection over | the other. Holger ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] Fwd: [Uta] STARTTLS vulnerabilities
Quoting Kim Alvefur : We were always at war with STARTTLS? The world is at war with both ports < 443 and ports > 443. ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___