[Standards] Advance XEP-0368 to Proposed

Sam Whited sam at samwhited.com
Tue Jan 24 21:09:47 UTC 2017


On Tue, Jan 24, 2017 at 2:13 PM, Travis Burtrum <travis at burtrum.org> wrote:
> I still disagree, I know in the wild you will find poorly written
> clients and servers that fall back to plain text when confronted with
> STARTTLS stripping, but you will NEVER find software that falls back to
> plaintext over direct TLS, because it's simply not possible.

Sure it is; client doesn't see SRV records for XMPPS, so it attempts
to connect without TLS on the normal xmpp port (which it does have SRV
records for because the person poisoning the DNS is trying to get you
to use tohse); it's the exact same thing as a client not seing
STARTTLS (because someone's in the middle stripping it) and therefore
falling back to not negotiating it. The behavior is wrong, but there's
not much we can do about it.

—Sam


More information about the Standards mailing list