[Standards] XEP-0178: Clarify SASL-EXTERNAL specification when s2s auth fails

Kim Alvefur zash at zash.se
Tue Jun 30 18:46:08 UTC 2020


Hello list

On Tue, Jun 30, 2020 at 05:59:34PM +0200, Jonas Schäfer wrote:
> https://github.com/xsf/xeps/pull/963
> 
> Input from server operators specifically would be welcomed to see if
> this change is in fact desirable or if you can see any issues with
> that. At least one member of the community has already expressed [1]
> that they think this may lead to downgrade attacks.
>    [1]: https://mail.jabber.org/pipermail/standards/2020-June/037592.html

(Prosody developer hat)

TL;DR: It's probably fine, but I wish Dialback would go away.

As mentioned in the PR, this reflects how current versions of ejabberd
and prosody already behave (by default?). These two implementations
account for a large part of the open XMPP federation. So, if this XEP is
to describe current practice, then this PR is good.

I do not think that it constitutes a downgrade attack, rather it becomes
a local policy decision of whether to trust Dialback when faced with
untrusted certificates. Dialback is still fairly hard to circumvent
AFAIK.

At least in Prosody, certificate validation strictness and Dialback are
configurable. Falling back to Dialback might only be done if the remote
server thinks your own certificate is insufficient, but you think theirs
is fine.

This does result in a number of different possible configurations. Not
great for something security related. Personally I hope we might be able
to phase out Dialback in the future. Today, largely thanks to Let's
Encrypt, more and more servers have valid certificates. So, the Dialback
code paths are more and more disused.

My own server requires valid certificates and this is mosly an issue
with certain XSF members (you know who you are). As a bonus, many
unmaintained certificates with expired certificates that I am unable to
establish s2s with appear to be sources of spam, which I am spared from.

-- 
Kim "Zash" Alvefur
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20200630/d07d6ce3/attachment.sig>


More information about the Standards mailing list