[Standards] Advance XEP-0368 to Proposed

Travis Burtrum travis at burtrum.org
Tue Jan 24 13:38:43 UTC 2017


On 01/24/2017 08:08 AM, Kim Alvefur wrote:
> On Thu, Jan 19, 2017 at 03:19:12PM -0500, Travis Burtrum wrote:
>> I am proposing advancing XEP-0368 from Experimental to Proposed, and the
>> XSF MUC said to do this by sending an email to the standards list.
>>
>> https://xmpp.org/extensions/xep-0368.html
>> Any thoughts?
> 
> 
>> TLS provides more security than STARTTLS if RFC 7590 [4] is not
>> followed, as it isn't subject to STARTTLS stripping.
> 
> I strongly object to this. "Direct" TLS and STARTTLS is exactly
> equivalent security-wise. In the absence of DNSSEC, you can just as well
> strip the SRV records that point to the "direct" TLS port, and you can
> attempt STARTTLS even if the advertising is stripped, or give up and
> throw a security exception.
> 
> I assert that this is only an optimization that lets you skip a few
> round trips.

Both are equally susceptible to DNS attacks in the absence of DNSSEC.

But you basically said it yourself, "Direct" TLS and STARTTLS are
equivalent security-wise ONLY IF you attempt STARTTLS regardless of
offer and give up with a security exception otherwise.  That behavior is
enforced with direct TLS, therefore they are not equivalent.

We could say something like that in there, but I'm not sure how to word it.


More information about the Standards mailing list