[jdev] manifesto 0.4

Dave Cridland dave at cridland.net
Thu Nov 7 18:37:36 UTC 2013

On Thu, Nov 7, 2013 at 12:47 PM, Alexander Holler <holler at ahsoftware.de>wrote:

> I didn't speak about production environments. The manifesto affects all
> users and a lot of them don't (have to) care about production environments.
By users we mean end-users, ie, users on your server?

I think client platforms quite clearly count as production environments -
they are in production - but luckily consumer-grade operating systems
generally keep themselves up to date. If you've a particular platform that
concerns you, I'd appreciate knowing, but as far as I know, all up to date
consumer-grade platforms support TLSv1.2 and PFS.

One exception, at least for TLSv1.2, are the older Android phones and
tablets (pre-4.1). But as I recall (not got it in front of me) the
manifesto says to prefer TLSv1.2, but still support TLSv1.0.

> E.g. my server only has to serve my needs and nobody else ones. So I can
> make a lot of compromises up to the fact, that I don't care if the NSA or
> GHCQ would be dumb enough to snoop on my communications which happens over
> my XMPP server (which isn't that much).
Your server is surely in production, isn't it?

Production means "deployed for everyday use", in my mind.

In any case, the attack vector here isn't that the NSA or GCHQ are
targetting you specifically. It's that they're targetting everyone, and
keeping that information around in case they need it later. This is why
we're suggesting encrypting everything, and with PFS, so that it's
worthless, and so they *need* to target you to snoop on you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131107/5f56802e/attachment.html>

More information about the JDev mailing list