[Operators] SSL certificates / private CAs / CACert issue

Claudiu Curcă claudiu at coderollers.com
Sun Dec 16 21:55:44 UTC 2012


From: operators-bounces at xmpp.org [mailto:operators-bounces at xmpp.org] On Behalf Of Jonas Wielicki
Sent: duminică, 16 decembrie 2012 22:47
To: operators at xmpp.org
Subject: Re: [Operators] SSL certificates / private CAs / CACert issue

> Hi Claudiu,
>
> > Fair point, although I find it very hard to believe that anyone nowadays  still runs an email server or Jabber server and hasn't completely turned off plaintext comms. Using plaintext comms for such communication is wrong on so many levels that I don't even want to get into such a discussion.
> Agreed on the moral point. However, I'd like to see stats on how many public services allow plaintext comm and which ratio of those even accepts plaintext auth over the unencrypted channel.
>
> I, for myself, have enabled unencrypted communications on my XMPP service, even for s2s. Why? Because the documentation of the server software I use recommends it to increase interoperability. Because other servers might reject my fine CACert certifiacte (although I'll look into StartSSL).
>
> regards,
> Jonas W.

Unfortunately, what you say is true and no one can say otherwise. However, the truth of the matter is that this situation should be improved (mainly by convincing the Ops to use proper certificates and discourage the use of unsecured connection and CAs doing a better job of ending up in Trust Store lists), not the other way around. If everyone started putting security ahead of comfort, this situation would not be as it is.

Alas, this is just wishful thinking...

Claudiu




More information about the Operators mailing list