[Standards] Advance XEP-0368 to Proposed

Travis Burtrum travis at burtrum.org
Tue Jan 24 20:13:01 UTC 2017


On 01/24/2017 10:20 AM, Sam Whited wrote:
> I agree with Zash, they're equivalant; 6120 says
> that even if STARTTLS isn't advertised you should attempt it, and this
> is the same thing. Falling back to plain is a bad idea, but it's a
> matter of client policy.

I still disagree, I know in the wild you will find poorly written
clients and servers that fall back to plain text when confronted with
STARTTLS stripping, but you will NEVER find software that falls back to
plaintext over direct TLS, because it's simply not possible.

Also I just realized the XEP already spells this out explicitly:

"TLS provides more security than STARTTLS if RFC 7590 [4] is not
followed, as it isn't subject to STARTTLS stripping."

Referring to where 7590 talks about stripping here
https://tools.ietf.org/html/rfc7590#section-3.1

Is that sentence as written not correct?


More information about the Standards mailing list