[Operators] XMPP federation over Tor : supported by Prosody, join us !

Dave Cridland dave at cridland.net
Fri Oct 16 13:07:20 UTC 2015


On 15 October 2015 at 21:07, Finn Herzfeld <finn at finn.io> wrote:

> That's pretty cool, but this whole mapping thing seems broken. Would
> there be a way for a server to probe another server over the clearnet
> for an onion address, then it can cache that and build it's own list? I
> don't know a ton about the actual XMPP wire protocol so I'm not sure how
> best to go about that, but it seems like something that could be done.
>

Discovery is, of course, possible, but it's problematic because no direct,
unseeded discovery protocol is going to be immune to metadata scanning. If
you look up SRV records, that's pretty easy to track, and then the Tor
session is not much better than a TLS one (albeit fewer chances of
interception; but the sames one are probably easiest).

Instead, we might construct a protocol whereby a server starts with a seed
list of services from a trusted source and then gradually learns about
other servers as it requests lists from its peers. It's possible to do this
without trusting all the servers giving you the list, too, if you use
BFT-style algorithms or signed content.

However... even this is only safe in Prosody because it doesn't perform
OCSP lookups (or indeed any status checking). Traditional OCSP is again
quite easy to track, so you need to use a combination of stapling and
consistently refreshed CRLs.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151016/82f10340/attachment.html>


More information about the Operators mailing list