[Operators] Please enable Forward Secrecy for your servers!

Sam Whited sam at samwhited.com
Mon Oct 5 14:45:11 UTC 2015


This all seems perfectly reasonable to me; if you don't have PFS
enabled ciphers, I don't understand why you'd expect to be able to be
part of the network these days.

Maybe as part of the 2016 compliance suites (which I'm in the process
of writing to propose to the XSF council, see standards@ for more
info) I'll also add a list of "recommended ciphers" or something. Or
maybe that's a separate XEP. Just something to think about.

The various servers I run all support a suite of PFS ciphers (as well
as the usual fallback ciphers, but I'll gather some data and see how
often those are used and consider removing them too).

Best,
Sam


More information about the Operators mailing list