[Members] More security: A manifesto update
Ludovic BOCQUET
lbxmpp at live.com
Thu Jan 8 22:54:10 UTC 2015
Dear all,
Some months ago (more than one year), I have requested to remove SSLv3
compatibility and the very old 5223 port in different XMPP
clients/servers/services (not added in the actual manifesto).
Some months ago, Poodle has been announced for SSLv3 and little time
after for TLS 1.0/1.1 too.
- https://www.imperialviolet.org/2014/10/14/poodle.html
- https://www.imperialviolet.org/2014/12/08/poodleagain.html
Today, after one month (Poodle TLS), I think it will be nice to update
the manifesto (launched one year ago):
- https://github.com/stpeter/manifesto/blob/master/manifesto.txt
- http://stpeter.im/journal/1496.html
With :
- no 5223 port
- no SSLv3
- no TLS 1.0 (no TLS 1.1 in more will be perfect)
- no cipher like RC4 (and other weak/very weak ciphers)
- no PLAIN (only C2S/S2S secured connection - StartTLS required with
SCRAM-SHA-1)
- no DIGEST-MD5 (only C2S/S2S secured connection - StartTLS required
with SCRAM-SHA-1)
- 2048 bits certificat and more (4096 bits will be perfect but...)
Attention SHA-1 will be stopped soon, maybe good to see for SHA-256
certificats and more:
-
http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
- https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
Some informations:
- https://tools.ietf.org/html/draft-ietf-uta-xmpp-04
- https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-01
Thanks in advance,
Regards,
BOCQUET Ludovic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5362 bytes
Desc: Signature cryptographique S/MIME
URL: <http://mail.jabber.org/pipermail/members/attachments/20150108/357a00e3/attachment-0001.bin>
More information about the Members
mailing list