[Operators] Please enable Forward Secrecy for your servers!

David Banes david at banes.org
Mon Oct 5 09:08:13 UTC 2015


+1

>>  but we
>> desperately need the equivalent of the old email "non-delivery report"
>> going back when connections are refused or non-technical users on
>> older servers are never going to even know there's anything wrong. All
>> they'll see is less people on their roster and they'll install some
>> other app that actually seems to work for them.



David.


On 5 Oct 2015, at 10:04, Mike Barnes <mike at bremensaki.com> wrote:

> I don't believe you'd even get user requests from people who can't
> contact someone. How many will seek out their server administrator to
> check what's going on, and how many will just go and use Facebook or
> Hangouts or something and forget about XMPP entirely?
> 
> It's great to have some specialised servers that take encryption
> really seriously and make it their priority, it is. I love it - but we
> desperately need the equivalent of the old email "non-delivery report"
> going back when connections are refused or non-technical users on
> older servers are never going to even know there's anything wrong. All
> they'll see is less people on their roster and they'll install some
> other app that actually seems to work for them.
> 
> Users on neglected servers need information, not isolation.
> 
> On 5 October 2015 at 19:03, Vincent Lauton <vince at darkness.su> wrote:
>> I completely agree,though I do not think there are planned mechanisms for
>> this purpose. Though I put it harshly I'm only blocking servers I already
>> can't communicate with.However I personally make sure to answer any user
>> requests and so far anyone that had contacted me asking why certain servers
>> couldn't be contacted has received a clear,polite explanation.Server lists
>> tend to show SSL rating or information which is a good thing too.I will
>> happily implement any mechanisms that allow me to increase the security and
>> knowledge of my users though.
>> 
>> 03:11, 5 October 2015, Mike Barnes <mike at bremensaki.com>:
>> 
>> What we need to be doing is putting information about the quality of
>> encryption used in a conversation in front of the users, and letting
>> them make informed decisions, instead of fracturing the network
>> invisibly.
>> 
>> Is there any defined mechanism to do this? Users are accustomed to the
>> little padlock icons on web URLs, can XMPP client software easily
>> implement something like this or will it need server extensions to
>> report back? As a temporary measure, could the server send a direct
>> message to a user alerting them if the encryption on a connection they
>> initiate falls below a desired threshold?
>> 
>> Inform the users, don't cut them off from their contacts and leave
>> them no path to even tell them why.
>> 
>> On 4 October 2015 at 22:53, Vincent Lauton <vince at darkness.su> wrote:
>> 
>> At least gmail,can't say I've blocked the others but I already can't
>> communicate without forward secrecy.
>> 
>> 13:52, 4 October 2015, Vincent Lauton <vince at darkness.su>:
>> 
>> Actually I do...
>> 
>> 10:31, 4 October 2015, Evgeny Khramtsov <xramtsov at gmail.com>:
>> 
>> Sat, 03 Oct 2015 13:40:17 +0200
>> Vincent Lauton <vince at darkness.su> wrote:
>> 
>> 
>>  Also I meant I'll block servers that don't support any forward
>>  secrecy suites
>> 
>> 
>> Great idea, LOL. Do you have gmail.com and all its hosted domains
>> blocked already? They don't have any "secrecy" at all.
>> 
>> 
>> 
>> --
>> Sent from Yandex.Mail for mobile
>> 
>> 
>> 
>> --
>> Sent from Yandex.Mail for mobile
>> 
>> 
>> 
>> --
>> Sent from Yandex.Mail for mobile

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151005/95a4c06e/attachment.sig>


More information about the Operators mailing list