[Operators] IM Observatory @ xmpp.net

Thijs Alkemade thijs at xnyhps.nl
Fri Nov 1 13:01:47 UTC 2013


On 1 nov. 2013, at 13:33, Moonchild <moonchild at palemoon.org> wrote:

> In addition, only including score grade "A" is a little short-sighted, IMHO,
> as server operators may be very good admins running a secure server while
> not getting a grade A (for example by offering potentially weaker ciphers
> for extended compatibility with clients - the test seems to pick the lowest
> available to grade servers on). Pushing specific servers to the foreground
> based on their score is a breeding ground for favoritism which I think we
> should avoid.

Sorry, but I don't buy it.

To score less than an A, a server would have to do at least one of the
following:

1) Enable cipher with less than 128 bit keys (DES, EXPORT-*, not 3DES,
   which is assumed 168).
2) Use an RSA keypair with less than 1024 bits.
3) Enable SSLv2.
4) Use an untrusted or invalid certificate.

We can debate about 4) for a long time, but 1), 2) and 3) have been bad
practices for at least a decade, some even longer than Jabber exists. I don't
buy that there is a client out there that doesn't support at least AES or RC4,
1024 bit certs or TLS 1.0.

Regards,
Thijs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131101/eab5464c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131101/eab5464c/attachment-0001.pgp>


More information about the Operators mailing list