[jdev] manifesto 0.4

Alexander Holler holler at ahsoftware.de
Thu Nov 7 21:20:55 UTC 2013 

Am 07.11.2013 21:29, schrieb Thijs Alkemade:
>
> On 7 nov. 2013, at 20:50, Alexander Holler <holler at ahsoftware.de> wrote:
>
>> "up to date" is the keyword here. E.g. squeeze is still supported but it's openssl doesn't support TLSv1.2. And even if it would be EOL, I would like it, if I would have the freedom to choose myself, when I stop using it.
>
> And some people might still want to use SSLv2 with DES, but it’s really not a good reason to keep using protocols with known vulnerabilities. If we were adjusting the requirements so even the laziest admins wouldn’t need to do anything, then it would hardly be a manifesto.
>
>> Sure, therefor I'm here and speak against the requirement for TLSv1.2. The manifesto sounds like it might be a good idea to enforce that requirement on the S2S too, and that clearly isn't what should be done in my opinion.
>
> There’s no such requirement in the manifesto and I know many people would be against doing that right now.
>
>> I already seem to be pretty alone with letting the user choose  what he thinks he needs (I'm pretty in support of encouraging strong encryption, just not of _requiring_ it, at least not now).
>
> There’s also no requirement for “strong” encryption, unless you count the MTI cipher suite TLS_RSA_WITH_AES_128_CBC_SHA from 6120 or the requirement to prefer forward-secret cipher suites.
>
>>> In any case, the attack vector here isn't that the NSA or GCHQ are
>>> targetting you specifically. It's that they're targetting everyone, and
>>> keeping that information around in case they need it later. This is why
>>> we're suggesting encrypting everything, and with PFS, so that it's
>>> worthless, and so they *need* to target you to snoop on you.
>>
>> I know that all that (don't misinterpret the fact that I've forgotten that DH is supported by openssl since a long time), but I wouldn't use my server for any communication I want to be secret. At least not for stuff which isn't p2p encrypted (and XMPP usually is not).
>
> You don’t care about security, you don’t want your communication to be secret… why are you even discussing this? You’re derailing this thread with misinformation and showing an unwillingness to change anything.

Sorry, people, do you all like to turn the words in my mouth into 
something I haven't said?

What a scarry list.

I nevery said I don't want that my communication is secret and I never 
said that I don't care about security. I just have said that I don't 
care if the communication I do through XMPP on my little server uses 
strong encryption. And no word about security.

And that doesn't mean that I don't care about my privacy, in fact a care 
a lot, I'm just not that silly to think that I could use XMPP for that 
whithout P2P encryption. That's a whole different thing than you want to 
imply.

Thanks for beeing that iniquitous.

Alexander Holler

More information about the JDev mailing list