Re: [Standards] field report on authentication methods
Thu, 9 Aug 2018 10:54:17 -0600 Peter Saint-Andre wrote: > hereas 4% for XEP-0078 is a fairly large percentage. I'd want to > do further investigation regarding client versions before shutting off > 4% of our users... I'm 99% confident that those 4% are in fact bots using abandonware (most likely some monitoring tools). Strictly speaking you don't cut off users, but only automated software. ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] field report on authentication methods
On 8/9/18 9:51 AM, Sam Whited wrote: > This is great stuff, thanks Peter! I'd love it if we could use jabber.org > more; it's easy to forget that we have a great source of data about the > network at our fingertips. > > Given how small the percentage of logins over CRAM-MD5 and XEP-0078 are, can > we disable those? Anything under 10% feels worth killing to me. I'd be curious what cutoff percentages other services use, for instance when stopping support for earlier versions of SSL or TLS. Less than 1% for CRAM-MD5 seems fine (I don't even know what clients support that and why), whereas 4% for XEP-0078 is a fairly large percentage. I'd want to do further investigation regarding client versions before shutting off 4% of our users... Peter signature.asc Description: OpenPGP digital signature ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
Re: [Standards] field report on authentication methods
This is great stuff, thanks Peter! I'd love it if we could use jabber.org more; it's easy to forget that we have a great source of data about the network at our fingertips. Given how small the percentage of logins over CRAM-MD5 and XEP-0078 are, can we disable those? Anything under 10% feels worth killing to me. —Sam On Thu, Aug 9, 2018, at 10:24, Peter Saint-Andre wrote: > Out of curiosity, I recently looked at successful logins on jabber.org > over a series of days (all over TLS, of course). The methods used were: > > SCRAM-SHA-1 46.68% > DIGEST-MD538.65% > SASL PLAIN10.03% > plaintext (XEP-0078) 3.97% > CRAM-MD5 0.67% > > It's interesting that DIGEST-MD5 is still so widely used, despite > interoperability problems over the years. And 4% use of XEP-0078 > indicates that there are still some really old clients out there (it's > been almost 14 years since the publication of RFC 3920). ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___
[Standards] field report on authentication methods
Out of curiosity, I recently looked at successful logins on jabber.org over a series of days (all over TLS, of course). The methods used were: SCRAM-SHA-1 46.68% DIGEST-MD538.65% SASL PLAIN10.03% plaintext (XEP-0078) 3.97% CRAM-MD5 0.67% It's interesting that DIGEST-MD5 is still so widely used, despite interoperability problems over the years. And 4% use of XEP-0078 indicates that there are still some really old clients out there (it's been almost 14 years since the publication of RFC 3920). Peter signature.asc Description: OpenPGP digital signature ___ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org ___