[Operators] The Google issue

[Eric Koldeweij]

On 21-Nov-13 21:20, Solomon Peachy wrote:
> I have mixed feelings about this, because I'm the only user on my 
> server, and only two folks on my roster aren't google-hosted. Frankly, 
> without Google federation I might as well not bother. 

I second this. Many of my users have contacts within Google and I do not 
wish to break connection between them. I have surveyed a few users with 
Google contacts on their roster and they all responded that they would 
not be happy. All but one indicated that either security was not an 
issue for them or they were using OTR and one even said he would move to 
a Google account when I told him about the unsecure channel between my 
server and Google..... I also talked to two users who I know are keen on 
security and they indicated they already knew that communication with 
Google could not be trusted and they were using OTR for all their 
communications in any case.

While I am very much in favor of secure communications between all the 
involved parties I think I will not participate in the January 4 event. 
My opinion is that client-to-client security is the way to go. After all 
no matter how tight the security, within our servers between c2s and s2s 
communication is insecure by design and messages can still be 
intercepted in plaintext by a malicious operator.
I know I've been stepping over the authentication part of security but 
I'm trying to look at it from the user's view. They want connectivity 
most of all and security is either second or done by the user using OTR 
or similar techniques. I think cutting Google off would harm the XMPP 
community more than it would harm Google. Therefore I'm also in favor of 
communicating with Google to attempt to work things out.

My 5 cents.

Regards,
Eric.