Excuse me, but why would anyone wish to use a nontusted CA and open themselves to MITM attacks when there are even recognized CAs which offer certificates for free? (StartSSL comes to mind first...)
Running any service with a selfsigned certificate (and xmpp or email are even moreso sensitive due to the confidential nature of the data being sent over the wire) just tells that you are ignorant and careless with the privacy and data security of your users. I personally never connect to any page or service which offers me a self signed certificate because i have no reassurance that the line is indeed "secure". My postfix also rejects all connection that do not offer valid and signed certificates. Call me paranoid, but i bet i am not alone thinking this. Just my thoughts... Claudiu Sent from my Windows Phone -----Original Message----- From: Peter Viskup Sent: 16/12/2012 21:51 To: XMPP Operators Group; ejabb...@jabber.ru Subject: [Operators] SSL certificates / private CAs / CACert issue The original message was sent to quite a lot of recipient's lists and therefore was rejected. The only list which accepted this email was an mailinglist of CAcert - interesting discussion started there [1]. [1] https://lists.cacert.org/wws/arc/cacert/2012-12/msg00002.html ==== Original message ==== Hi all (sorry for such wide conference, but I am sure it will be valuable), hope that there are many experienced admins/developers on these lists and many of you probably running certificates signed by your own CA on your Jabber servers too. After some experiences during last months I feel it would be great to discuss the use of certificates signed by 'non-public' CA on the public services. We already had some 'excessive' discussion about it with Peter Saint-Andre this year and didn't 'solve' it. The only outcome of it was that the Jabber.sk service is still not listed in the list of public services and the only reason is that it's using certificate signed by our internal CA. I did accept that and gave Peter more time to think about it as it doesn't harm our service at all. Nevertheless I just discovered that Google started to reject retrieval of emails from the POP3s and IMAPs servers which use the certificates from non-public CAs [1]. Unfortunately they didn't provide the list of CAs they accept (just mentioned Mozilla foundation's list) and still allow to retrieve these emails by not-secured POP3/IMAP channels and propose it as an workaround. It is probably planned and has to do something with the new rules of Google Apps, which are not for free anymore. But this has nothing with XMPP. The second issue I was fighting with (and not only once) is that OpenFire jabber server doesn't accept message retrieval over s2s connection with the jabber server using the certificate signed by 'non-public' CA by default. Hopefully there is a chance to change this behavior. Now let me fall into the situation with SSL certificates in the XMPP world in more details. Just some months before (and it looks like that also these times) the CACert wasn't recognised as an publicly trusted CA by Mozilla foundation [2] (Opera and many more too) because they didn't pass their auditing. But at those times almost all of the jabber servers and clients already accepted certificates signed by them as 'secure'. Looks like that XMPP foundation proposal to use CACert as one of the possible CAs was the only argument for acceptance. The developers of jabber software usually do not take care about any security requirements which the CA has to pass before it will be added to the list of 'secure' public CAs they do recognise. I just checked more support requests for Gajim [3,4] and other jabber clients with requests to add CACert or other CA into the list of accepted CAs and nobody of the developers asked or checked the state of the CA and the issue the CA has with this process in other projects or at least didn't mentioned that in the support requests. I think that this restriction of use only publicly acceptable CAs for SSL/TLS communication is not correct in general and should not be enforced by Google, XMPP foundation or OpenFire or anybody else. The possible solution for this situation in XMPP world could be to provide the list of acceptable and secure CAs by XMPP foundation directly. It could maintain and provide this list for all XMPP developers. As a part of this solution there should be defined the process with clear requirements to CA willing to be added to this list. I will accept that the jabber.sk is not added to the list of public services just after this will be addressed and there will be some clear statement made by XMPP foundation and/or the public XMPP service list maintainers. As another argument for advocating of the private CAs to be accepted on XMPP servers I would remind you that XMPP network is presented as free and open and we should take care of not stealing it's openness and freedom. I would like to give a chance to run any XMPP server with certificates signed by their private CA without any message rejection. Of course there is nothing what doesn't allow me to request the sign of my certificate by CACert or other CA and probably pay some price for it. This is just my choice and I am asking if XMPP 'world' is ready and able to accept that as I do not see any advantage of publicly accepted CAs in XMPP network at this time. There is also other possibility to limit such issues with not accepted connections due to certificate rejections - ask developers of all mainstream XMPP software (server and client) to add CA into their lists. But I do not find it as an appropriate and correct solution and would like to open wide discussion about it instead. Appreciate all meaningful posts in advance. (sorry for my English) [1] http://support.google.com/mail/bin/answer.py?hl=en&hlrm=en&ctx=gmail&answer=21291#strictSSL [2] https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158 [3] https://trac.gajim.org/ticket/3329 [4] https://trac.gajim.org/ticket/5569 Best regards, -- Peter Viskup admin of one small public jabber.sk
