[jdev] Securing XMPP
Simon Tennant
simon at buddycloud.com
Thu Aug 29 09:00:53 UTC 2013
On 28 August 2013 18:28, Matthew Wild <mwild1 at gmail.com> wrote:
> > http://wiki.xmpp.org/web/Securing_XMPP
>
> Only feedback so far: you might want to clarify the "single
> domain"/"multiple domain" thing - DANE is not a requirement for
> securely hosting multiple domains on a single server. I think that
> might confuse people.
>
It's confusing me too. As I understand the current state of things:
If I lookup the SRV record for example.com, connect to the server and the
certificate matches servername.example.com, I can be pretty certain that
I'm talking to the right server.
However, if example.com returns a SRV record for server.xmpp-hosting.com,
we're dealing with a different beast and DANE / POSHy things need to start
happening to avoid DNS spoofing. (I'm assuming example.com's owner don't
want to be lodging private certs with their XMPP vhosting provider).
- Is there any reason to worry about DANE stuff for a single domain XMPP
setup?
- Is Prosody really the only server that supports DANE?
S.
--
Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours:
goo.gl/tQgxP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20130829/2db82dd2/attachment.html>
More information about the JDev
mailing list