Hello list On Tue, Jun 30, 2020 at 05:59:34PM +0200, Jonas Schäfer wrote: > https://github.com/xsf/xeps/pull/963 > > Input from server operators specifically would be welcomed to see if > this change is in fact desirable or if you can see any issues with > that. At least one member of the community has already expressed [1] > that they think this may lead to downgrade attacks. > [1]: https://mail.jabber.org/pipermail/standards/2020-June/037592.html
(Prosody developer hat) TL;DR: It's probably fine, but I wish Dialback would go away. As mentioned in the PR, this reflects how current versions of ejabberd and prosody already behave (by default?). These two implementations account for a large part of the open XMPP federation. So, if this XEP is to describe current practice, then this PR is good. I do not think that it constitutes a downgrade attack, rather it becomes a local policy decision of whether to trust Dialback when faced with untrusted certificates. Dialback is still fairly hard to circumvent AFAIK. At least in Prosody, certificate validation strictness and Dialback are configurable. Falling back to Dialback might only be done if the remote server thinks your own certificate is insufficient, but you think theirs is fine. This does result in a number of different possible configurations. Not great for something security related. Personally I hope we might be able to phase out Dialback in the future. Today, largely thanks to Let's Encrypt, more and more servers have valid certificates. So, the Dialback code paths are more and more disused. My own server requires valid certificates and this is mosly an issue with certain XSF members (you know who you are). As a bonus, many unmaintained certificates with expired certificates that I am unable to establish s2s with appear to be sources of spam, which I am spared from. -- Kim "Zash" Alvefur
signature.asc
Description: PGP signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
