[jdev] Heml.is and federation..

Peter Saint-Andre stpeter at stpeter.im
Tue Jul 16 19:36:48 UTC 2013

Hash: SHA1

On 7/12/13 10:51 PM, Steffen Larsen wrote:
> Hi Peter! :-)
> On Jul 13, 2013, at 4:23 AM, Peter Saint-Andre <stpeter at stpeter.im>
> wrote:
> Hi Matthew! :-)
> On 7/12/13 5:34 PM, Matthew Wild wrote:
>>>> On 12 July 2013 22:06, Peter Saint-Andre
>>>> <stpeter at stpeter.im> wrote:
>>>>> Really it's a crime that we don't have ubiquitous s2s and
>>>>> e2e encryption by now
>>>> As you may know, we thought very seriously about making the 
>>>> default behaviour for the next release of Prosody to require 
>>>> trusted and valid certificates on all s2s connections.
>>>> Ultimately we decided against it, for now. But I remain
>>>> optimistic that we shall do so in a future version (perhaps
>>>> after making a POSH verification module available).
> Sounds good. I do think we're making progress, although I'm
> frustrated that it's as slow as it is.
>> +1 even though I do nothing my self, so I can blame my self as
>> well. :-) How can I actually help out? reading up on POSH and
>> friends?
>>>>> but I suppose in fairness to us these are hard problems...
>>>> Name another protocol as widespread as XMPP that has solved
>>>> them so far...? :)
> True.
>>>> At least I think we're on the right track, but with things
>>>> like this I think it takes baby-steps. We have come a long
>>>> way, many clients and servers require encryption on c2s now
>>>> which simply wasn't true a few years ago.
> Yes, I am hoping / planning to do that at jabber.org before too
> much more time goes by. But one thing at a time.
>>>> PS. Anecdotal, but currently on my server:
>>>> 40 "secure" incoming s2s connections (trusted+valid
>>>> certificate) 37 encrypted with invalid/self-signed
>>>> certificates 10 not encrypted at all
>>>> 3 of the unencrypted connections are from the personal
>>>> servers of prominent members of the XMPP community (you
>>>> [hopefully] know who you are). A further 2 are domains I'm
>>>> responsible for (and a server upgrade is already scheduled to
>>>> fix them), the remaining ones are gmail.com and Google-hosted
>>>> domains.
> Hmm, those prominent members of the XMPP community need to get
> their act together. ;-)
> In general, one thing that might help is a very clear HOWTO on 
> certificate provisioning, installation, and testing. That way,
> when more domains start requiring secure s2s we'll have a friendly
> manual at which we can point operators.
>> Good idea. Its easy to setup XMPP servers, but certificates etc.
>> are always pain in the b...

Yes, and it's a PITA that I need to fumble with my keys in order to
walk into my house. Security isn't easy. :-)

I do think that a friendly XMPP-certificates HOWTO would help.

> Also helpful might be an automated service (xmpp.net?) that would
> give you a report about your domain's s2s security status, if you
> opt in of course.
>> +1 That would be cool!

OK, that sounds like a fun project. ;-)


- -- 
Peter Saint-Andre

Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the JDev mailing list