[Operators] XMPP Security Talk to IAB

Dave Cridland dave at cridland.net
Mon Sep 1 11:37:43 UTC 2014


On 1 September 2014 12:19, Evgeny Khramtsov <xramtsov at gmail.com> wrote:

> Mon, 1 Sep 2014 11:52:22 +0100
> Dave Cridland <dave at cridland.net> wrote:
>
> > On 31 August 2014 22:28, Evgeny Khramtsov <xramtsov at gmail.com> wrote:
> >
> > > Sun, 31 Aug 2014 22:35:07 +0200
> > > Jonas Wielicki <xmpp-operators at sotecware.net> wrote:
> > >
> > >
> > > > I left the c2s-encryption-required switch in place (there would
> > > > have been out-of-band measures to reach me if that had been a
> > > > problem)
> > >
> > > A year ago I did some experiment on a medium size server (150,000
> > > users online in peak). I modified ejabberd so it added starttls
> > > <required/> tag without actually requiring it, i.e. ignoring this
> > > tag by a client was OK. The results were bad: about 20% of clients
> > > were ignoring it. Mostly some versions of QIP (which is the most
> > > popular XMPP client in Russia).
> > >
> >
> > That's interesting - that's people simply ignoring <starttls/>
> > entirely, I'd assume.
> >
> > Do you have the actual figures to hand? That'd be interested data to
> > include. It's interesting for two reasons, actually - firstly, it's
> > interesting to show that some 20% of clients in some areas don't
> > support TLS at all, and secondly it's interesting to show that people
> > in the community do this kind of research.
> >
> > Incidentally, I'm gathering the names of people who're helping me,
> > here, and will, of course, have a "credits" slide for those helping
> > write the presentation.
> >
> > The presentation will be online, eventually, but I hate putting
> > slides etc up before I've done the talk.
> >
> > Dave.
>
> No, sorry, I have sorta NDA for that installation.
> But I can repeat the experiment on jabber.ru, if I find time for
> that :) The userbase is much smaller though, only 15k online.
>
>
I'm happy to quote the "about 20%" figure and leave it at that.


> BTW, you can also mention that there is no DNSSEC support by .ru
> registrators, so DANE cannot be used here. I understand that no-one
> cares what happens in Russia, but this makes adoption of "DANE-based"
> federation difficult. Furthermore, as ejabberd developer I'm not
> motivated to add DANE support to ejabberd. Simply because I cannot use
> it myself.
>

I'm already discussing the .im DNSSEC issue, so .ru seems also sensible to
mention.

Anyone know if .de supports DNSSEC? That's another popular domain for XMPP
services.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140901/55772cd1/attachment.html>


More information about the Operators mailing list