[Operators] Please enable Forward Secrecy for your servers!

Alain Wolf xmaster at urown.net
Mon Oct 5 16:01:40 UTC 2015


On 05.10.2015 at 03:04, Mike Barnes wrote:
> What we need to be doing is putting information about the quality of
> encryption used in a conversation in front of the users, and letting
> them make informed decisions, instead of fracturing the network
> invisibly.

What comes to my mind here, is how security-focused mail providers like
mailbox.org handle a similar problem in the SMTP world:

Every account on their mail domain "mailbox.org" also receives mail on
the sub-domain "secure.mailbox.org". Their MX servers on the main domain
will accept mail from any mail-server for valid addresses like
user at mailbox.org. But mails for user at secure.mailbox.org are only
accepted on properly TLS-encrypted SMTP connections.

While they don't use this to enforce PFS, but TLS in general. Maybe
similar domain aliases could be setup on our servers the other way round
using something like "insecure.jabber.org".

> 
> Is there any defined mechanism to do this? Users are accustomed to the
> little padlock icons on web URLs, can XMPP client software easily
> implement something like this or will it need server extensions to
> report back? As a temporary measure, could the server send a direct
> message to a user alerting them if the encryption on a connection they
> initiate falls below a desired threshold?
> 
> Inform the users, don't cut them off from their contacts and leave
> them no path to even tell them why.
> 
> On 4 October 2015 at 22:53, Vincent Lauton <vince at darkness.su> wrote:
>> At least gmail,can't say I've blocked the others but I already can't
>> communicate without forward secrecy.
>>
>> 13:52, 4 October 2015, Vincent Lauton <vince at darkness.su>:
>>
>> Actually I do...
>>
>> 10:31, 4 October 2015, Evgeny Khramtsov <xramtsov at gmail.com>:
>>
>> Sat, 03 Oct 2015 13:40:17 +0200
>> Vincent Lauton <vince at darkness.su> wrote:
>>
>>
>>  Also I meant I'll block servers that don't support any forward
>>  secrecy suites
>>
>>
>> Great idea, LOL. Do you have gmail.com and all its hosted domains
>> blocked already? They don't have any "secrecy" at all.


More information about the Operators mailing list