[standards-jig] SSL/TLS mandatory (Was: Re: JEP-0077 Password Changing Security Flaw )

Jesper Krogh jesper at krogh.cc
Sun Jan 25 20:11:27 UTC 2004


I gmane.network.jabber.standards-jig, skrev Chris Mullins:
>  While plain-text passwords are certainly worrisome, at least the option
>  is there to send them over a SSL/TLS stream. In fact many servers
>  REQUIRE the connection to be over a SSL/TLS stream, making the
>  plain-text a little bit less significant that it would otherwise be. 

I really think that we should require SSL/TLS real soon now, I hardly
can find any reason for anyone to use it. Have I missed anything?

Unlike http where you have anonymous browsing, you username/password is
sent every time you connect to your server in Jabber, which actually
makes all communication sensible. 

For statistics on my server: 
http://status.jabbernet.dk/c2s.html
We can actually se that we are down to about 15% that uses SSL/TLS. 

Is it better at other servers? 

-- 
./Jesper Krogh, jesper at krogh.cc
Jabber ID: jesper at jabbernet.dk
Tøm din hjerne for Linuxviden på http://www.linuxwiki.dk





More information about the Standards mailing list