[Operators] XMPP Security Talk to IAB

Waqas Hussain waqas20 at gmail.com
Fri Aug 29 18:59:36 UTC 2014

On Fri, Aug 29, 2014 at 8:28 AM, Dave Cridland <dave at cridland.net> wrote:

> On 29 August 2014 11:45, Marco Cirillo <maranda at lightwitch.org> wrote:
>>  The main challenge, at least here, regards communicating with "silos"
>> like Google/Google Apps domains and webex hosted domains (cisco.com
>> etc). And since my users demanded that with high voice irregardless of
>> security I had in the end to (add code to) allow exceptions to grant s2s
>> communication with those services.
> That's an excellent point, actually, and one I hadn't addressed in this
> note - some implementations have had to gain new features in order to
> handle the security landscape changing. I know Prosody, too, has developed
> a mechanism for whitelisting domains, so deployments can relax requirements
> for Google et al.

There are two extreme camps among operators: Idealists vs pragmatists --
feel free to suggest better labels. Idealists are perfectly fine with
dropping interop with Google. They range from "Google is teh evil" to just
"I wont make a security exception for Google, if my users don't like it
I'll educate them, and they can always use other servers". Pragmatists
range from "My users want this, so I'll make an exception for just Google"
to "Google interop is important enough that I'd drop XMPP before I'd drop

We've had several polite flamewars in the Prosody chatroom around this over
the past months and years. Most people are set in their ways, and I've seen
almost no-one change positions, but then such is the nature of flamewars.

Prosody has whitelisting and blacklisting mechanisms for specific domains.
However Google Apps for Your Domain throws a wrench in all that. Allowing
GAFYD fundamentally allows downgrade attacks for *all* domains, given an
active DNS MITM.

Waqas Hussain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140829/bdee019b/attachment.html>

More information about the Operators mailing list