[Operators] requiring channel encryption

Jesse Thompson jesse.thompson at doit.wisc.edu
Mon May 12 08:28:01 CDT 2008


Peter Saint-Andre wrote:
> On 05/01/2008 7:00 AM, Jesse Thompson wrote:
>> Jonathan Schleifer wrote:
>>> Peter Saint-Andre <stpeter at stpeter.im> wrote:
>>>> Perhaps at jabber.org we will require c2s encryption before we require
>>>> s2s encryption. But I think it's worthwhile to make the effort...
>>> I think the other way around would be more useful. First, force those
>>> who have the knowledge to fix it in a few minutes (it's just generating
>>> a cert and one option - in every Jabber server). If that succeeded, we
>>> can force those who maybe have less knowledge and need some time to
>>> figure it out.
>>> Anyway, forcing it for s2s would be faster achievable than having all
>>> clients use STARTTLS by default.
>>> This, I'd recommend trying to force TLS for s2s first.
>> I disagree.  Encrypting passwords is much more important than encrypting
>> s2s content.  Protecting the password is a concern for 100% of users.
>> Protecting the content of s2s conversations is important, but I doubt
>> that more than 5% of users really need it (not everyone uses s2s, and
>> not everyone that uses s2s puts sensitive data in a chat conversation
> 
> Do you mean encrypting them over the wire or in the backend account store?

I meant over the wire.

Hashing the passwords on the store is a great idea too.

Jesse

-- 
  Jesse Thompson
  Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3353 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080512/958f57a3/attachment.bin 


More information about the Operators mailing list