[Operators] How-to fight with SPAM accounts
Jesse Thompson
jesse.thompson at doit.wisc.edu
Wed Nov 25 12:18:14 CST 2009
Philipp Hancke wrote:
> Peter Saint-Andre wrote:
>> As I always say, we don't need to be perfect, just more difficult to
>> attack than other networks. Part of raising the cost (mostly the cost in
>> time) would involve requiring TLS with CA-issued certificates for s2s
>> (perhaps we can get there eventually!). But as you say there is no magic
>
> If getting there was possible, why is that solution not applied to SMTP?
>
> Besides, the TLS situation on s2s is a huge mess... and will continue to
> be so while you accept "bogus certificates" (as defined below) at
> jabber.org.
> The problem is mostly limited to what is called "starttls+dialback".
> Since that had never been officially specified, it seems that developers
> ignored possible interactions.
>
> Definition of a bogus certificate:
> * subject does contain the hostname (especially: CN=ejabberd)
> * subject is valid but certificate is expired - even expired since
> January 2009.
> * certificate is revoked (that even worked with 0178 style auth when
> I tested it)
> * ...
> Note that I did not include self-signed certificates or certificates
> issued by a CA which is not well-known. Those are probably better
> handled in a ssh-like approach.
>
> Just another piece of "not really relevant" criticism.
>
> philipp
The TLS situation will not be improved until there is a way for a domain
owner to delegate (via SRV records perhaps) which server provides their
XMPP service. We host over 250 email domains, and one of the reasons
why we don't enable them all for XMPP is because we can't practically
manage that many certificates. The idea that Google Talk will be able
to practically, or ethically, manage thousands of valid matching signed
certificates is preposterous.
Jesse
--
Jesse Thompson
Division of Information Technology, University of Wisconsin-Madison
Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3317 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20091125/782efd47/attachment.bin>
More information about the Operators
mailing list