[Operators] How-to fight with SPAM accounts

Jesse Thompson jesse.thompson at doit.wisc.edu
Wed Nov 25 12:18:14 CST 2009


Philipp Hancke wrote:
> Peter Saint-Andre wrote:
>> As I always say, we don't need to be perfect, just more difficult to
>> attack than other networks. Part of raising the cost (mostly the cost in
>> time) would involve requiring TLS with CA-issued certificates for s2s
>> (perhaps we can get there eventually!). But as you say there is no magic
> 
> If getting there was possible, why is that solution not applied to SMTP?
> 
> Besides, the TLS situation on s2s is a huge mess... and will continue to
> be so while you accept "bogus certificates" (as defined below) at
> jabber.org.
> The problem is mostly limited to what is called "starttls+dialback".
> Since that had never been officially specified, it seems that developers
> ignored possible interactions.
> 
> Definition of a bogus certificate:
> * subject does contain the hostname (especially: CN=ejabberd)
> * subject is valid but certificate is expired - even expired since
>   January 2009.
> * certificate is revoked (that even worked with 0178 style auth when
>   I tested it)
> * ...
> Note that I did not include self-signed certificates or certificates 
> issued by a CA which is not well-known. Those are probably better
> handled in a ssh-like approach.
> 
> Just another piece of "not really relevant" criticism.
> 
> philipp

The TLS situation will not be improved until there is a way for a domain 
owner to delegate (via SRV records perhaps) which server provides their 
XMPP service.  We host over 250 email domains, and one of the reasons 
why we don't enable them all for XMPP is because we can't practically 
manage that many certificates.  The idea that Google Talk will be able 
to practically, or ethically, manage thousands of valid matching signed 
certificates is preposterous.

Jesse

-- 
   Jesse Thompson
   Division of Information Technology, University of Wisconsin-Madison
   Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3317 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20091125/782efd47/attachment.bin>


More information about the Operators mailing list