Hi all, A little note but very important: 5223 port has depreciated since 2004.
Regards, BOCQUET Ludovic An XSF member XMPP Standards Foundation http://xmpp.org/ Le 21/03/2013 01:38, Peter Viskup a écrit : > On 12/17/2012 12:13 AM, Peter Viskup wrote: >> I do understand the role of SSL and CAs well. >> Let me share some words of one of the CACerts people (from the >> mailing thread I post in the beginning): >> "One of the problems with CAcert: They sign certificates without any >> assurance of the issuer - the same, what StartCom does for class 1 >> certificates, but StartCom is usually trusted by all major web >> browsers. >> If CAcert would offer certificate signing *only* for assured members, >> this would already improve security and trustworthyness, since then you >> can be sure, that a CAcert signed certificate is issued by a *known* >> person and not just by someone who has control over the mail server >> of a >> domain." >> >> I do understand that list of trusted CAs could lead to "higher" >> security, but if we (XMPP operators) do accept CACert or StartCom >> then there could be no issue with accepting other CAs. What rules >> were followed by accepting these CAs? >> >> The other case is: >> you told I am ignorant because I do not follow some standard security >> advises and using our own CA for SSL/TLS on our public services. I >> fully agree with the security standard and best-practices, but >> question is - how many servers do use certificates which are not >> signed by trusted CA in XMPP (or SMTP) world. And if the number is >> higher than 1-10-20-40-100-1000-Idon'tknowhowmany - aren't you the >> ignorant of the reality? >> This is the reason of the discussion - recognize how many servers are >> using such certificates and/or certificates of CACert or other >> low-cost/problematic CAs (StartCom, [compromised] >> Verisign?,[compromised] whatever-else). >> ...and to come with some consensus regarding this issues on the end. >> >> Anyway the CA world in general is in crisis and there are many voices >> calling for something which will solve all SPOFs in this design. This >> is another grey point on the CA design which should be taken in mind. >> >> These are links to both threads: >> [1] ejabberd >> http://lists.jabber.ru/pipermail/ejabberd/2012-December/007894.html >> [2] XMPP operators >> http://mail.jabber.org/pipermail/operators/2012-December/001528.html >> >> -- >> Peter Viskup >> > > Dear all, > let me share the list of XMPP servers which use 'not secure' SSL certs > on 5223 port: > > bbs.docksud.com.ar CN=bbs.docksud.com.ar > jab.undernet.cz CN=Undernet.cz > jabber.dn.ua CN=ejabberd > jabber.freenet.de CN=USERTrust > jabber.od.ua CN=Mickael > jabber.org.by CN=jabber.org.by > jabber.sk CN=TECHTIS > jabber.stammtisch.it CN=jabber.stammtisch.it > jabber.ulm.ccc.de CN=jabber.ulm.ccc.de > jabber.workaround.org CN=jabber.workaround.org > jabber.yorktondigital.ca CN=John > jabberpl.org CN=Certification > jid.pl CN=jid.pl > jis.mit.edu CN=ejabberd > phcn.de CN=phcn.de > silper.cz CN=Frenky > tidesofwar.net CN=tidesofwar.net > tigase.org CN=*.default > tigase.org CN=default > xmpp.org.ru CN=jabber.ttn.ru > > CN is common name of the issuer of that cert. I didn't performed > deeper analysis. This is just not complete sight on the issue with the > servers not using [CACert,StartSSL]-signed certs. > I wasn't able to get the certs from all servers and filtered all with > issuer of one of these "/CAcert|StartCom|CA Cert|Thawte|RapidSSL/". > Checked 213 servers (list from jabberes.org or coccinella stats) and > got SSL info on port 5223 from 94 servers only (openssl s_client) and > 20 of them have installed 'wrong' certs. > Hope this helped to see the reality a little (as it is not complete > :-) ). > > Would be great to have a closer look on the reality with more > information. > > Best regards,
smime.p7s
Description: Signature cryptographique S/MIME