[Operators] Please enable Forward Secrecy for your servers!
mati at fsinf.at
Fri Jul 10 11:56:38 UTC 2015
Am 2015-07-10 um 13:11 schrieb Mike Barnes:
> Do you have any details on which client software and versions you've
> tested, Mathias? I've been looking at doing this but I've been more
> concerned about the client experience than s2s issues.
On s2s vs. c2s: After the switch, our s2s connections dropped by about
1/4 - that's a lot, of course. With clients, there has been a drop, but
only about 1/10th of the users - and we did the switch just on the day
our school and university summer holidays started, so I expected a drop
We didn't test many versions of course. But from what we know, a Pidgin
from 2010 doesn't work, but an up-to-date Pidgin does, even on Windows XP.
> You say "very few" users had issues - what was your sample size?
On average, we have about 2500 distinct users online in a week, which
was more or less the time we had those ciphers online. Everyone
complaining had their issues fixed by a client update.
> really hard to get in touch with a user if you stop their connection
> from working, so I'd be really hesitant to jump into something like
> this without a lot of warning and publishing required minimum version
> information somewhere for them.
Yes, we're doing that now, here ;-)
twitter: @mathiasertl | xing: Mathias Ertl | email: mati at er.tl
I only read plain-text mail! I prefer signed/encrypted mail!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6044 bytes
Desc: S/MIME Cryptographic Signature
More information about the Operators