[Operators] Please enable Forward Secrecy for your servers!

Mike Barnes mike at bremensaki.com
Thu Sep 17 04:08:32 UTC 2015

Hi Kim - what happens from the end-user POV when that module is in
place? Will most clients reliably report that back?

I'm really hesitant to implement a massive restriction like this
precisely because it is invisible to the end user, and is just going
to lead to more people going "well, I can't talk to fred at some.im any
more, it worked last week" and giving up on XMPP.

It'd be much better to warn a user that their encryption is not up to
standard, and letting them make a decision or tell their contact about
it. If we just flat cut off their ability to communicate event that
there's a problem it's not very user-friendly at all.

Is there a defined way that we can reliably send meta-information back
to a user about their connection to a remote server while still
allowing the connection to proceed? Maybe just via a server
announcement when they make an outbound connection that falls below a
defined threshold to be considered secure?

I have enough trouble convincing people that XMPP is worth the bother
as it is, without making sudden changes that invisibly break
functionality. I will continue to keep my end up to date and ensure
that I'm capable of forward secrecy, but I'm not going to mandate it

On 13 September 2015 at 05:33, Kim Alvefur <zash at zash.se> wrote:
> Hi all!
> At the last summit in Brussels, at some point, the issue of how
> reporting errors from TLS cipher mismatches is kinda horrible.  So the
> idea of allowing a more liberal set of ciphers but throwing a
> <stream:error> at the application level came up and I wrote a
> proof-of-concept plugin for Prosody doing just this.
> http://modules.prosody.im/mod_tls_policy.html
> It will basically run a pattern match on the cipher string and, if it
> does not match, close the connection with:
> <stream:error>
>   <policy-violation/>
>   <text>TLS cipher 'RC4-MD5' not acceptable</text>
> </stream:error>
> --
> Kim "Zash" Alvefur

More information about the Operators mailing list