[Operators] The Google issue

Dave Cridland dave at cridland.net
Fri Nov 22 09:50:43 UTC 2013


On Thu, Nov 21, 2013 at 7:26 PM, Matthew Wild <mwild1 at gmail.com> wrote:

> With all the talk about the details of the manifesto, one thing we
> seem to mostly only mention in passing is federation with Google, and
> I'm curious to gauge the opinion of people on this list.
>
> We are going to affect a lot of users across the network on 4th
> January as we effectively disable federation with Google. Some will
> inevitably be outraged, as they are unable to speak with their friends
> and family members. Some will herald it as a step forward in
> transitioning people away from servers with poor communication
> security.
>

My own feeling is that while many servers will, across the 4th Jan, cut
communications with Google (and other domains), I suspect that many servers
will restore that and want to lower our goals for operational reasons.

Take my little server. I've got too many contacts on servers that would be
dropped by a strict TLS-only peering constraint. I'm happy not to talk to
those people for a day, and it'll enable me to find out how many there
truly are. I'm good with Better-Than-Nothing encryption using PFS, and I'm
fine with tightening up protocol and cipher-suites considered acceptable.

One thing I do note from a protocol standpoint is that it's impossible for
me to know a priori which services should support mutually authenticated
TLS; so a setting of "connect to servers using TLS-auth and do not fallback
if they should support it" doesn't work. This effectively forces fallback
across the board, and lowers the potential security throughout. This,
certainly, is a problem - and it's where we are right now - we will accept
BTNS, and even no TLS at all, from anyone - even if they actually do
support mutually authenticated TLS.

And note my little parenthetical comment above - it's not just Google.
That's certainly the biggest service, but I've no reason to think that of
all the servers without a proper certificate, only contacts on Google's
public services are going to be important enough.

However, I stress - the point, to me, of the 4th January test is not to cut
connections to Google, or send some Message, or anything else along those
lines.

The point is to see what happens, accepting there will be some disruption,
and accepting that we may have to re-examine what we think is achievable
here.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131122/c2dfab7a/attachment.html>


More information about the Operators mailing list