[Operators] XMPP Security Talk to IAB

Stefan Strigler stefan.strigler at gmail.com
Mon Sep 1 11:47:27 UTC 2014


Seems so: http://www.denic.de/domains/dnssec.html

It says, it's available since May 2011.


2014-09-01 13:37 GMT+02:00 Dave Cridland <dave at cridland.net>:

>
>
>
> On 1 September 2014 12:19, Evgeny Khramtsov <xramtsov at gmail.com> wrote:
>
>> Mon, 1 Sep 2014 11:52:22 +0100
>> Dave Cridland <dave at cridland.net> wrote:
>>
>> > On 31 August 2014 22:28, Evgeny Khramtsov <xramtsov at gmail.com> wrote:
>> >
>> > > Sun, 31 Aug 2014 22:35:07 +0200
>> > > Jonas Wielicki <xmpp-operators at sotecware.net> wrote:
>> > >
>> > >
>> > > > I left the c2s-encryption-required switch in place (there would
>> > > > have been out-of-band measures to reach me if that had been a
>> > > > problem)
>> > >
>> > > A year ago I did some experiment on a medium size server (150,000
>> > > users online in peak). I modified ejabberd so it added starttls
>> > > <required/> tag without actually requiring it, i.e. ignoring this
>> > > tag by a client was OK. The results were bad: about 20% of clients
>> > > were ignoring it. Mostly some versions of QIP (which is the most
>> > > popular XMPP client in Russia).
>> > >
>> >
>> > That's interesting - that's people simply ignoring <starttls/>
>> > entirely, I'd assume.
>> >
>> > Do you have the actual figures to hand? That'd be interested data to
>> > include. It's interesting for two reasons, actually - firstly, it's
>> > interesting to show that some 20% of clients in some areas don't
>> > support TLS at all, and secondly it's interesting to show that people
>> > in the community do this kind of research.
>> >
>> > Incidentally, I'm gathering the names of people who're helping me,
>> > here, and will, of course, have a "credits" slide for those helping
>> > write the presentation.
>> >
>> > The presentation will be online, eventually, but I hate putting
>> > slides etc up before I've done the talk.
>> >
>> > Dave.
>>
>> No, sorry, I have sorta NDA for that installation.
>> But I can repeat the experiment on jabber.ru, if I find time for
>> that :) The userbase is much smaller though, only 15k online.
>>
>>
> I'm happy to quote the "about 20%" figure and leave it at that.
>
>
>> BTW, you can also mention that there is no DNSSEC support by .ru
>> registrators, so DANE cannot be used here. I understand that no-one
>> cares what happens in Russia, but this makes adoption of "DANE-based"
>> federation difficult. Furthermore, as ejabberd developer I'm not
>> motivated to add DANE support to ejabberd. Simply because I cannot use
>> it myself.
>>
>
> I'm already discussing the .im DNSSEC issue, so .ru seems also sensible to
> mention.
>
> Anyone know if .de supports DNSSEC? That's another popular domain for XMPP
> services.
>
> Dave.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140901/280ce85e/attachment-0001.html>


More information about the Operators mailing list