[jdev] manifesto & DANE does not cut it
Ralf Skyper Kaiser
skyper at thc.org
Tue Nov 19 12:30:06 UTC 2013
On Tue, Nov 19, 2013 at 12:26 PM, Ashley Ward <ashley.ward at surevine.com>wrote:
> On 19 Nov 2013, at 11:58, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> > This attack and vulnerability in the TLS authentication has been
> recognized by all major browser manufactures. Pinning (on top of DNSSEC) is
> being implemented as we speak. Why jabber tries so hard of being less
> secure than the web browser is a mystery to me.
> I guess one of the issues is that XMPP, being federated, is far more
> complicated than the straightforward client-server of the web. I’m far from
> an expert on these things but some kind of certificate pinning would
> require some extra xmpp protocol would it not? Plain DNSSEC and DANE could
> be implemented today though so my view would be let’s make sure we’re using
> the best we can do today in imlement the silver standard, and then have a
> really good discussion about how to implement the gold standard
> (potentially certificate pinning, but even this has drawbacks).
Pinning does not require any protocol change in its simplest form. It can
be done with just minor changes on the client side.
> For users that absolutely require secrecy then they can still use e2e
> encryption today.
Does not help as your entire buddy list and meta data is not protected by
OTR or other jabber plugins.
> Let’s implement what we already have standards for today as a good start,
> and then, once that’s implemented, we can look at the gold standard.
> Otherwise we risk delaying for no really good reason.
I agree. No single security feature should delay the deployment of other
But let's add it to the manifesto so that we have a road-map to work
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev