[jdev] Securing XMPP

Matthew Wild mwild1 at gmail.com
Thu Aug 29 09:33:48 UTC 2013 

On 29 August 2013 10:00, Simon Tennant <simon at buddycloud.com> wrote:
>
>
>
> On 28 August 2013 18:28, Matthew Wild <mwild1 at gmail.com> wrote:
>>
>> > http://wiki.xmpp.org/web/Securing_XMPP
>>
>> Only feedback so far: you might want to clarify the "single
>> domain"/"multiple domain" thing - DANE is not a requirement for
>> securely hosting multiple domains on a single server. I think that
>> might confuse people.
>
>
> It's confusing me too. As I understand the current state of things:
>
> If I lookup the SRV record for example.com, connect to the server and the
> certificate matches servername.example.com, I can be pretty certain that I'm
> talking to the right server.

Incorrect. If you are claiming to be example.com, it doesn't matter
what your SRV record targets are. You need to identify yourself with a
certificate for example.com. See
http://prosody.im/doc/certificates#which_domain for our docs on this.

> However, if example.com returns a SRV record for server.xmpp-hosting.com,
> we're dealing with a different beast and DANE / POSHy things need to start
> happening to avoid DNS spoofing. (I'm assuming example.com's owner don't
> want to be lodging private certs with their XMPP vhosting provider).
>
> - Is there any reason to worry about DANE stuff for a single domain XMPP
> setup?

DANE solves a different problem. It allows you to use DNSSEC to
bootstrap trust in your certificate. This allows various fun things,
including (as I understand it) secure delegation to a hosting provider
(which POSH also allows, using a different method) and also the
ability to use your own CA, which people can verify through DNSSEC
magic as really belonging to you (as the domain owner).

> - Is Prosody really the only server that supports DANE?

I don't know, but I'll say that whatever support Prosody has for DANE
today is still quite experimental... (as is all DANE-supporting
software I've seen). I do think we're at the beginning of the "early
adopter" stage with it, and it remains to be seen how quickly it will
become feasible for secure federation.

Regards,
Matthew

More information about the JDev mailing list