Hi Peter! :-) On Jul 13, 2013, at 4:23 AM, Peter Saint-Andre <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Matthew! :-) > > On 7/12/13 5:34 PM, Matthew Wild wrote: >> On 12 July 2013 22:06, Peter Saint-Andre <[email protected]> >> wrote: >>> Really it's a crime that we don't have ubiquitous s2s and e2e >>> encryption by now >> >> As you may know, we thought very seriously about making the >> default behaviour for the next release of Prosody to require >> trusted and valid certificates on all s2s connections. Ultimately >> we decided against it, for now. But I remain optimistic that we >> shall do so in a future version (perhaps after making a POSH >> verification module available). > > Sounds good. I do think we're making progress, although I'm frustrated > that it's as slow as it is. > +1 even though I do nothing my self, so I can blame my self as well. :-) How can I actually help out? reading up on POSH and friends? >>> but I suppose in fairness to us these are hard problems... >> >> Name another protocol as widespread as XMPP that has solved them so >> far...? :) > > True. > >> At least I think we're on the right track, but with things like >> this I think it takes baby-steps. We have come a long way, many >> clients and servers require encryption on c2s now which simply >> wasn't true a few years ago. > > Yes, I am hoping / planning to do that at jabber.org before too much > more time goes by. But one thing at a time. > >> PS. Anecdotal, but currently on my server: >> >> 40 "secure" incoming s2s connections (trusted+valid certificate) 37 >> encrypted with invalid/self-signed certificates 10 not encrypted at >> all >> >> 3 of the unencrypted connections are from the personal servers of >> prominent members of the XMPP community (you [hopefully] know who >> you are). A further 2 are domains I'm responsible for (and a >> server upgrade is already scheduled to fix them), the remaining >> ones are gmail.com and Google-hosted domains. > > Hmm, those prominent members of the XMPP community need to get their > act together. ;-) > > In general, one thing that might help is a very clear HOWTO on > certificate provisioning, installation, and testing. That way, when > more domains start requiring secure s2s we'll have a friendly manual > at which we can point operators. Good idea. Its easy to setup XMPP servers, but certificates etc. are always pain in the b... > > Also helpful might be an automated service (xmpp.net?) that would give > you a report about your domain's s2s security status, if you opt in of > course. +1 That would be cool! > > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJR4KwpAAoJEOoGpJErxa2pjiQQAK4v5kikqhWGDNaGYMgIRKy+ > o6+zMGcI1cZbeEtArPK5DnvyUaKrZRdxMeHKvXYyjyot9Wl1ceK+fplL8Dz3NeYM > q+O+vUx4MJJ7q2RL2kv0Mi3nl5027RYq2EpVqs4bbJ9lIrtHsY7IVo9zcs+McHeA > axZqKyj/mapLIHy/ySJqnYt3f6LrZ6eKnjrkhFtL9JA3CuUVuUNAXRRYJxfYa4JE > 3hTobDaVC7VAbfeEyhpcHJWCcePUmVDY9RDDPYdzvlnu4W8eVky0B5/UOKzYsj7Q > ZcN8jzL548Ckfv0qO4lHOdNvLWn755OyDxcCNPRtmdg2CSqQNPxyXyKF655SMRwS > PgWzBqy299jN9BWEMFv43JB4i6JRzTRCV8XwvqjWYEq6qSbehAjdF43SsyPqJ3P6 > GSE9k32q/fF3eBpN636rUMGUSgEjGJlSGdQhFpMAdF4zpO2vzbbfEbbutfbJiRLi > 33lvFYqCvqoUGRcKjkkKCtEaijxnhKJTg1rQP3mdfbIFQZStYG23R4qKSW7+pgsx > fHoywAdTAncgfQ0qRdfBNBftKYanDStwZ1b2Y5S4keIcCWO1mvFEgbeEMEEojFGz > YdpM5oK7AaxRPtmY3ef4QMCQctwlm/ftXB3IZtrcyP/Qt+aj+sdbMDl1qaGmRjn4 > eq6vENUzOTKwA1uc0vYi > =xFc1 > -----END PGP SIGNATURE----- > _______________________________________________ > JDev mailing list > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: [email protected] > _______________________________________________ /Steffen _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
