[jdev] Securing XMPP

Simon Tennant simon at buddycloud.com
Thu Aug 29 09:00:53 UTC 2013


On 28 August 2013 18:28, Matthew Wild <mwild1 at gmail.com> wrote:

> > http://wiki.xmpp.org/web/Securing_XMPP
>
> Only feedback so far: you might want to clarify the "single
> domain"/"multiple domain" thing - DANE is not a requirement for
> securely hosting multiple domains on a single server. I think that
> might confuse people.
>

It's confusing me too. As I understand the current state of things:

If I lookup the SRV record for example.com, connect to the server and the
certificate matches servername.example.com, I can be pretty certain that
I'm talking to the right server.

However, if example.com returns a SRV record for server.xmpp-hosting.com,
we're dealing with a different beast and DANE / POSHy things need to start
happening to avoid DNS spoofing. (I'm assuming example.com's owner don't
want to be lodging private certs with their XMPP vhosting provider).

- Is there any reason to worry about DANE stuff for a single domain XMPP
setup?

- Is Prosody really the only server that supports DANE?

S.
-- 
Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours:
goo.gl/tQgxP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20130829/2db82dd2/attachment.html>


More information about the JDev mailing list