[Standards] Advance XEP-0368 to Proposed

Dave Cridland dave at cridland.net
Tue Jan 24 20:27:10 UTC 2017


On 24 January 2017 at 20:13, Travis Burtrum <travis at burtrum.org> wrote:
> On 01/24/2017 10:20 AM, Sam Whited wrote:
>> I agree with Zash, they're equivalant; 6120 says
>> that even if STARTTLS isn't advertised you should attempt it, and this
>> is the same thing. Falling back to plain is a bad idea, but it's a
>> matter of client policy.
>
> I still disagree, I know in the wild you will find poorly written
> clients and servers that fall back to plain text when confronted with
> STARTTLS stripping, but you will NEVER find software that falls back to
> plaintext over direct TLS, because it's simply not possible.
>
> Also I just realized the XEP already spells this out explicitly:
>
> "TLS provides more security than STARTTLS if RFC 7590 [4] is not
> followed, as it isn't subject to STARTTLS stripping."
>
> Referring to where 7590 talks about stripping here
> https://tools.ietf.org/html/rfc7590#section-3.1
>
> Is that sentence as written not correct?

So, what you're saying is that buggy clients are less secure than
non-buggy ones?

You can certainly have that, but I don't see why it belongs in a spec...

Dave.


More information about the Standards mailing list