[Operators] IM Observatory @ xmpp.net

Phil Pennock xmpp-operators+phil at spodhuis.org
Mon Nov 4 01:11:54 UTC 2013


On 2013-11-03 at 11:49 +0100, Thijs Alkemade wrote:
> Also, if you assume clients always pick the strongest encryption cipher they
> support, then I have a surprise for you:
> 
> https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/

Then that's a client bug, from the traitorous software on the client
machine, and impacts upon the ability of the server operator to offer
"it sucks, but it's better than cleartext" to other clients which, for
practical reasons, can't be updated.  I'm concerned that trying to
work around this from the server side leads to a race towards being
unable to safely upgrade in the next few years as more ciphersuites come
forward as fewer trust the US standards.

It's better to get the clients fixed than to hide the problem so that
the buggy client goes unfixed, storing up trouble for later which will
be blamed on the new ciphersuites, rather than the root cause.

Telling the server to manage the selection, instead of the client, might
be a better workaround, though still not great.

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131103/0cfc8861/attachment.pgp>


More information about the Operators mailing list