[Operators] Please enable Forward Secrecy for your servers!

Mike Barnes mike at bremensaki.com
Mon Oct 5 09:04:19 UTC 2015


I don't believe you'd even get user requests from people who can't
contact someone. How many will seek out their server administrator to
check what's going on, and how many will just go and use Facebook or
Hangouts or something and forget about XMPP entirely?

It's great to have some specialised servers that take encryption
really seriously and make it their priority, it is. I love it - but we
desperately need the equivalent of the old email "non-delivery report"
going back when connections are refused or non-technical users on
older servers are never going to even know there's anything wrong. All
they'll see is less people on their roster and they'll install some
other app that actually seems to work for them.

Users on neglected servers need information, not isolation.

On 5 October 2015 at 19:03, Vincent Lauton <vince at darkness.su> wrote:
> I completely agree,though I do not think there are planned mechanisms for
> this purpose. Though I put it harshly I'm only blocking servers I already
> can't communicate with.However I personally make sure to answer any user
> requests and so far anyone that had contacted me asking why certain servers
> couldn't be contacted has received a clear,polite explanation.Server lists
> tend to show SSL rating or information which is a good thing too.I will
> happily implement any mechanisms that allow me to increase the security and
> knowledge of my users though.
>
> 03:11, 5 October 2015, Mike Barnes <mike at bremensaki.com>:
>
> What we need to be doing is putting information about the quality of
> encryption used in a conversation in front of the users, and letting
> them make informed decisions, instead of fracturing the network
> invisibly.
>
> Is there any defined mechanism to do this? Users are accustomed to the
> little padlock icons on web URLs, can XMPP client software easily
> implement something like this or will it need server extensions to
> report back? As a temporary measure, could the server send a direct
> message to a user alerting them if the encryption on a connection they
> initiate falls below a desired threshold?
>
> Inform the users, don't cut them off from their contacts and leave
> them no path to even tell them why.
>
> On 4 October 2015 at 22:53, Vincent Lauton <vince at darkness.su> wrote:
>
>  At least gmail,can't say I've blocked the others but I already can't
>  communicate without forward secrecy.
>
>  13:52, 4 October 2015, Vincent Lauton <vince at darkness.su>:
>
>  Actually I do...
>
>  10:31, 4 October 2015, Evgeny Khramtsov <xramtsov at gmail.com>:
>
>  Sat, 03 Oct 2015 13:40:17 +0200
>  Vincent Lauton <vince at darkness.su> wrote:
>
>
>   Also I meant I'll block servers that don't support any forward
>   secrecy suites
>
>
>  Great idea, LOL. Do you have gmail.com and all its hosted domains
>  blocked already? They don't have any "secrecy" at all.
>
>
>
>  --
>  Sent from Yandex.Mail for mobile
>
>
>
>  --
>  Sent from Yandex.Mail for mobile
>
>
>
> --
> Sent from Yandex.Mail for mobile


More information about the Operators mailing list