[jdev] Securing XMPP

Thijs Alkemade thijs at xnyhps.nl
Fri Sep 6 23:24:26 UTC 2013


On 6 sep. 2013, at 22:24, Dave Cridland <dave at cridland.net> wrote:

> I may be talking rubbish, but shouldn't the server be overriding the client's order by default anyway?

Practically no server overrides the client's preference. I noticed only ~3
non-public servers do it.

I'm really not sure what side is best here.

On the one hand, it's the user whose data needs to be protected here. In
theory I think the tradeoffs are up to them (like "when you would have to
chose, would you rather have 256 bit encryption or forward secrecy?"). In
practice few clients (if any) let the user pick a cipher list and many of
those hard-coded lists are really bad, putting RC4-MD5 at the top.

So in my opinion, servers should first try to improve their security by
disabling the ciphers they don't want clients to use. Only when that is not
enough should they override the client's order.

Thijs 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20130907/c9dbf13c/attachment.pgp>


More information about the JDev mailing list