[Operators] State of the Federation

Patrick Beisler psjbeisler at gmail.com
Mon Jan 4 02:11:01 UTC 2016


While watching the recent State of the Onion talk, there was some
discussion about XMPP, OTR, and libpurple security. (Half-way through)
https://media.ccc.de/v/32c3-7307-state_of_the_onion#video

Granted, some of it was in reference to promoting Ricochet although there
were some valid points regarding rosters and possibly even at the protocol
schema itself.
Focusing on the servers, we have pushed for more federated encryption this
year (despite the 2048 vs 4096 argument) which is good, and the fact that
more s2s connections require TLS and SASL for encryption and authentication
still put us in a better that than email currently as we can mostly verify
our endpoints.
Of course theres always DNSSEC as well which seems to be getting heavier
implementation is Germany i hear.
There were also discussions regarding Diffie-Hellman, ECC and TLS
certificates if reference to pre-computational passive attacks that should
not be ignored.
https://media.ccc.de/v/32c3-7288-logjam_diffie-hellman_discrete_logs_the_nsa_and_you#video


Client side, we still have a wide problem with libpurple being everywhere
and as well as being a "flock of 0days flying in formation". (Tor talk)
There was also an interesting article that covers more of the concerns with
the clients themselves, but being a server operators list, i will just
leave this here.
https://motherboard.vice.com/read/secure-messaging-might-not-be-so-secure-otr-libpurple

Mostly my point was just to throw these concerns out and to see what more
can we do as a community to ensure the security of ourselves and others
does not become stagnate. There is a war on for our privacy and data, and
its our duty to stay vigilant.
“Just because you're paranoid doesn't mean they aren't after you”

Thanks to all you operators and Happy New Year.

-- 
The Internet is changing, consider securing your messages with PGP.
https://keybase.io/psjbeisler/key.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160103/b75262a6/attachment.html>


More information about the Operators mailing list