[Operators] XMPP Security Talk to IAB

Evgeny Khramtsov xramtsov at gmail.com
Mon Sep 1 11:19:42 UTC 2014


Mon, 1 Sep 2014 11:52:22 +0100
Dave Cridland <dave at cridland.net> wrote:

> On 31 August 2014 22:28, Evgeny Khramtsov <xramtsov at gmail.com> wrote:
> 
> > Sun, 31 Aug 2014 22:35:07 +0200
> > Jonas Wielicki <xmpp-operators at sotecware.net> wrote:
> >
> >
> > > I left the c2s-encryption-required switch in place (there would
> > > have been out-of-band measures to reach me if that had been a
> > > problem)
> >
> > A year ago I did some experiment on a medium size server (150,000
> > users online in peak). I modified ejabberd so it added starttls
> > <required/> tag without actually requiring it, i.e. ignoring this
> > tag by a client was OK. The results were bad: about 20% of clients
> > were ignoring it. Mostly some versions of QIP (which is the most
> > popular XMPP client in Russia).
> >
> 
> That's interesting - that's people simply ignoring <starttls/>
> entirely, I'd assume.
> 
> Do you have the actual figures to hand? That'd be interested data to
> include. It's interesting for two reasons, actually - firstly, it's
> interesting to show that some 20% of clients in some areas don't
> support TLS at all, and secondly it's interesting to show that people
> in the community do this kind of research.
> 
> Incidentally, I'm gathering the names of people who're helping me,
> here, and will, of course, have a "credits" slide for those helping
> write the presentation.
> 
> The presentation will be online, eventually, but I hate putting
> slides etc up before I've done the talk.
> 
> Dave.

No, sorry, I have sorta NDA for that installation.
But I can repeat the experiment on jabber.ru, if I find time for
that :) The userbase is much smaller though, only 15k online.

BTW, you can also mention that there is no DNSSEC support by .ru
registrators, so DANE cannot be used here. I understand that no-one
cares what happens in Russia, but this makes adoption of "DANE-based"
federation difficult. Furthermore, as ejabberd developer I'm not
motivated to add DANE support to ejabberd. Simply because I cannot use
it myself.


More information about the Operators mailing list