[Operators] Please enable Forward Secrecy for your servers!

Mathias Ertl mati at fsinf.at
Fri Jul 10 11:56:38 UTC 2015


Hi Mike,

Am 2015-07-10 um 13:11 schrieb Mike Barnes:
> Do you have any details on which client software and versions you've
> tested, Mathias? I've been looking at doing this but I've been more
> concerned about the client experience than s2s issues.

On s2s vs. c2s: After the switch, our s2s connections dropped by about
1/4 - that's a lot, of course. With clients, there has been a drop, but
only about 1/10th of the users - and we did the switch just on the day
our school and university summer holidays started, so I expected a drop
anyway.

We didn't test many versions of course. But from what we know, a Pidgin
from 2010 doesn't work, but an up-to-date Pidgin does, even on Windows XP.

> You say "very few" users had issues - what was your sample size?

On average, we have about 2500 distinct users online in a week, which
was more or less the time we had those ciphers online. Everyone
complaining had their issues fixed by a client update.

> It's
> really hard to get in touch with a user if you stop their connection
> from working, so I'd be really hesitant to jump into something like
> this without a lot of warning and publishing required minimum version
> information somewhere for them.

Yes, we're doing that now, here ;-)

greetings, Mati

-- 
twitter: @mathiasertl | xing: Mathias Ertl | email: mati at er.tl
I only read plain-text mail!  I prefer signed/encrypted mail!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6044 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20150710/03f4d0b9/attachment.bin>


More information about the Operators mailing list