On 01/24/2017 10:20 AM, Sam Whited wrote: > I agree with Zash, they're equivalant; 6120 says > that even if STARTTLS isn't advertised you should attempt it, and this > is the same thing. Falling back to plain is a bad idea, but it's a > matter of client policy.
I still disagree, I know in the wild you will find poorly written clients and servers that fall back to plain text when confronted with STARTTLS stripping, but you will NEVER find software that falls back to plaintext over direct TLS, because it's simply not possible. Also I just realized the XEP already spells this out explicitly: "TLS provides more security than STARTTLS if RFC 7590 [4] is not followed, as it isn't subject to STARTTLS stripping." Referring to where 7590 talks about stripping here https://tools.ietf.org/html/rfc7590#section-3.1 Is that sentence as written not correct? _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
