[Operators] requiring channel encryption
Jesse Thompson
jesse.thompson at doit.wisc.edu
Thu May 1 08:00:28 CDT 2008
Jonathan Schleifer wrote:
> Peter Saint-Andre <stpeter at stpeter.im> wrote:
>> Perhaps at jabber.org we will require c2s encryption before we require
>> s2s encryption. But I think it's worthwhile to make the effort...
>
> I think the other way around would be more useful. First, force those
> who have the knowledge to fix it in a few minutes (it's just generating
> a cert and one option - in every Jabber server). If that succeeded, we
> can force those who maybe have less knowledge and need some time to
> figure it out.
> Anyway, forcing it for s2s would be faster achievable than having all
> clients use STARTTLS by default.
> This, I'd recommend trying to force TLS for s2s first.
I disagree. Encrypting passwords is much more important than encrypting
s2s content. Protecting the password is a concern for 100% of users.
Protecting the content of s2s conversations is important, but I doubt
that more than 5% of users really need it (not everyone uses s2s, and
not everyone that uses s2s puts sensitive data in a chat conversation.)
This is especially potent now, considering the number of "open" wireless
access points available. If you don't encrypt your password when you
are using an untrusted network, you are risking exposure. s2s traffic
is traversing comparatively trustworthy network paths.
The EDU sector is currently being barraged with spear phishing campaigns
by spammers trying to obtain the authentication credentials from users.
We've seen first hand how valuable these credentials are to the spammers.
Jesse
--
Jesse Thompson
Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080501/736d6933/attachment.bin
More information about the Operators
mailing list