[jdev] manifesto & DANE does not cut it

Ralf Skyper Kaiser skyper at thc.org
Tue Nov 19 12:30:06 UTC 2013 

Hi

On Tue, Nov 19, 2013 at 12:26 PM, Ashley Ward <ashley.ward at surevine.com>wrote:

> On 19 Nov 2013, at 11:58, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> > This attack and vulnerability in the TLS authentication has been
> recognized by all major browser manufactures. Pinning (on top of DNSSEC) is
> being implemented as we speak. Why jabber tries so hard of being less
> secure than the web browser is a mystery to me.
>
> I guess one of the issues is that XMPP, being federated, is far more
> complicated than the straightforward client-server of the web. I’m far from
> an expert on these things but some kind of certificate pinning would
> require some extra xmpp protocol would it not? Plain DNSSEC and DANE could
> be implemented today though so my view would be let’s make sure we’re using
> the best we can do today in imlement the silver standard, and then have a
> really good discussion about how to implement the gold standard
> (potentially certificate pinning, but even this has drawbacks).
>

Pinning does not require any protocol change in its simplest form. It can
be done with just minor changes on the client side.


> For users that absolutely require secrecy then they can still use e2e
> encryption today.
>

Does not  help as your entire buddy list and meta data is not protected by
OTR or other jabber plugins.


>
> Let’s implement what we already have standards for today as a good start,
> and then, once that’s implemented, we can look at the gold standard.
> Otherwise we risk delaying for no really good reason.
>

I agree. No single security feature should delay the deployment of other
security features.

But let's add it to the manifesto so that we have a road-map to work
towards.

regards,

ralf

>
>> Ash
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.jabber.org/jdev/attachments/20131119/1396ea0e/attachment.html>

More information about the JDev mailing list