[Operators] Please enable Forward Secrecy for your servers!

A a at creep.im
Tue Oct 6 08:11:06 UTC 2015


There is an IM Observatory (https://xmpp.net) site which users actually 
use before deciding which service to join, and some clients, Gajim for 
sure, actually shows a padlock icon on near the account on server, which 
uses encryption. However if there is a self-signed certificate, like one 
on exploit.im, Gajim still shows locked padlock implying there is still 
some kind of security.

The idea to clients' developers: introduce these padlocks icons and if 
there is an insecure connection or self-signed certificate, there should 
be warning icon, like red unlocked padlock, as it is implemented in all 
major web browsers.

A

On 10/05/2015 04:04 AM, Mike Barnes wrote:
> What we need to be doing is putting information about the quality of
> encryption used in a conversation in front of the users, and letting
> them make informed decisions, instead of fracturing the network
> invisibly.
>
> Is there any defined mechanism to do this? Users are accustomed to the
> little padlock icons on web URLs, can XMPP client software easily
> implement something like this or will it need server extensions to
> report back? As a temporary measure, could the server send a direct
> message to a user alerting them if the encryption on a connection they
> initiate falls below a desired threshold?
>
> Inform the users, don't cut them off from their contacts and leave
> them no path to even tell them why.
>
> On 4 October 2015 at 22:53, Vincent Lauton <vince at darkness.su> wrote:
>> At least gmail,can't say I've blocked the others but I already can't
>> communicate without forward secrecy.
>>
>> 13:52, 4 October 2015, Vincent Lauton <vince at darkness.su>:
>>
>> Actually I do...
>>
>> 10:31, 4 October 2015, Evgeny Khramtsov <xramtsov at gmail.com>:
>>
>> Sat, 03 Oct 2015 13:40:17 +0200
>> Vincent Lauton <vince at darkness.su> wrote:
>>
>>
>>   Also I meant I'll block servers that don't support any forward
>>   secrecy suites
>>
>>
>> Great idea, LOL. Do you have gmail.com and all its hosted domains
>> blocked already? They don't have any "secrecy" at all.
>>
>>
>>
>> --
>> Sent from Yandex.Mail for mobile
>>
>>
>>
>> --
>> Sent from Yandex.Mail for mobile



More information about the Operators mailing list