[Operators] requiring channel encryption

Jesse Thompson jesse.thompson at doit.wisc.edu
Thu May 1 08:00:28 CDT 2008


Jonathan Schleifer wrote:
> Peter Saint-Andre <stpeter at stpeter.im> wrote:
>> Perhaps at jabber.org we will require c2s encryption before we require
>> s2s encryption. But I think it's worthwhile to make the effort...
> 
> I think the other way around would be more useful. First, force those
> who have the knowledge to fix it in a few minutes (it's just generating
> a cert and one option - in every Jabber server). If that succeeded, we
> can force those who maybe have less knowledge and need some time to
> figure it out.
> Anyway, forcing it for s2s would be faster achievable than having all
> clients use STARTTLS by default.
> This, I'd recommend trying to force TLS for s2s first.

I disagree.  Encrypting passwords is much more important than encrypting 
s2s content.  Protecting the password is a concern for 100% of users. 
Protecting the content of s2s conversations is important, but I doubt 
that more than 5% of users really need it (not everyone uses s2s, and 
not everyone that uses s2s puts sensitive data in a chat conversation.)

This is especially potent now, considering the number of "open" wireless 
access points available.  If you don't encrypt your password when you 
are using an untrusted network, you are risking exposure.  s2s traffic 
is traversing comparatively trustworthy network paths.

The EDU sector is currently being barraged with spear phishing campaigns 
by spammers trying to obtain the authentication credentials from users. 
   We've seen first hand how valuable these credentials are to the spammers.

Jesse

-- 
   Jesse Thompson
   Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080501/736d6933/attachment.bin 


More information about the Operators mailing list