[Operators] How-to fight with SPAM accounts

Peter Saint-Andre stpeter at stpeter.im
Wed Dec 2 09:48:37 CST 2009


On 11/25/09 11:18 AM, Jesse Thompson wrote:
> Philipp Hancke wrote:
>> Peter Saint-Andre wrote:
>>> As I always say, we don't need to be perfect, just more difficult to
>>> attack than other networks. Part of raising the cost (mostly the cost in
>>> time) would involve requiring TLS with CA-issued certificates for s2s
>>> (perhaps we can get there eventually!). But as you say there is no magic
>>
>> If getting there was possible, why is that solution not applied to SMTP?
>>
>> Besides, the TLS situation on s2s is a huge mess... and will continue to
>> be so while you accept "bogus certificates" (as defined below) at
>> jabber.org.
>> The problem is mostly limited to what is called "starttls+dialback".
>> Since that had never been officially specified, it seems that developers
>> ignored possible interactions.
>>
>> Definition of a bogus certificate:
>> * subject does contain the hostname (especially: CN=ejabberd)
>> * subject is valid but certificate is expired - even expired since
>>   January 2009.
>> * certificate is revoked (that even worked with 0178 style auth when
>>   I tested it)
>> * ...
>> Note that I did not include self-signed certificates or certificates
>> issued by a CA which is not well-known. Those are probably better
>> handled in a ssh-like approach.
>>
>> Just another piece of "not really relevant" criticism.
>>
>> philipp
> 
> The TLS situation will not be improved until there is a way for a domain
> owner to delegate (via SRV records perhaps) which server provides their
> XMPP service.  We host over 250 email domains, and one of the reasons
> why we don't enable them all for XMPP is because we can't practically
> manage that many certificates.  The idea that Google Talk will be able
> to practically, or ethically, manage thousands of valid matching signed
> certificates is preposterous.

That's why we're working on Domain Name Assertions:

http://tools.ietf.org/html/draft-hildebrand-dna-00

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20091202/7f337ee1/attachment.bin>


More information about the Operators mailing list