[Members] More security: A manifesto update

Ludovic BOCQUET lbxmpp at live.com
Thu Jan 8 22:54:10 UTC 2015


Dear all,

Some months ago (more than one year), I have requested to remove SSLv3
compatibility and the very old 5223 port in different XMPP
clients/servers/services (not added in the actual manifesto).

Some months ago, Poodle has been announced for SSLv3 and little time
after for TLS 1.0/1.1 too.
- https://www.imperialviolet.org/2014/10/14/poodle.html
- https://www.imperialviolet.org/2014/12/08/poodleagain.html

Today, after one month (Poodle TLS), I think it will be nice to update
the manifesto (launched one year ago):
- https://github.com/stpeter/manifesto/blob/master/manifesto.txt
- http://stpeter.im/journal/1496.html

With :
- no 5223 port
- no SSLv3
- no TLS 1.0 (no TLS 1.1 in more will be perfect)
- no cipher like RC4 (and other weak/very weak ciphers)
- no PLAIN (only C2S/S2S secured connection - StartTLS required with
SCRAM-SHA-1)
- no DIGEST-MD5 (only C2S/S2S secured connection - StartTLS required
with SCRAM-SHA-1)
- 2048 bits certificat and more (4096 bits will be perfect but...)

Attention SHA-1 will be stopped soon, maybe good to see for SHA-256
certificats and more:
-
http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
- https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/

Some informations:
- https://tools.ietf.org/html/draft-ietf-uta-xmpp-04
- https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-01

Thanks in advance,

Regards,

BOCQUET Ludovic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5362 bytes
Desc: Signature cryptographique S/MIME
URL: <http://mail.jabber.org/pipermail/members/attachments/20150108/357a00e3/attachment-0001.bin>


More information about the Members mailing list