XMPP switches on mandatory encryption

Posted May 22, 2014 19:39 UTC (Thu) by Comet (subscriber, #11646)
Parent article: XMPP switches on mandatory encryption

The comparison to email would be better done by contrasting STARTTLS deployment rates between the two, rather than link-encryption for XMPP and message-encryption for email. As two federated services which indirect via DNS (making it hard to have a verifiable identity for authenticated TLS unless and until you have verifying DNSSEC-capable resolvers) the problems are very similar.

Facebook send a lot of email and recently put up a blog post (does not require an account to access) on the stats for email, which is worth reading:

https://www.facebook.com/notes/protect-the-graph/the-curr...

Meanwhile, pleasingly the latest Mercurial tip of Prosody, an XMPP server (written in Lua, fairly popular) supports DANE-based verification for peers, letting us move towards authenticated TLS via DNSSEC without the federated service CA problem (which is rather worse than the general case CA problem).

XMPP switches on mandatory encryption

Posted May 23, 2014 1:41 UTC (Fri) by flussence (guest, #85566) [Link] (4 responses)

I'd love to turn DANE on for various services (XMPP being one of them), but when I tried a few weeks ago, it turned out my DNS provider (OVH) is crippled and doesn't allow it. (They have a freeform BIND zone editor but it's validated against some never-updated regex that excludes TLSA lines. The people who've asked for this feature at their support forums received the silent treatment so I'm not holding my breath.)

So I'm left running an arrangement with a self-signed CA and per-service certs signed by that, which I'm okay with since it's (mostly) for personal use. It's better than having everything in cleartext in any case, but it only works when the client software checks a cert doesn't change, as SSH does. The Android mail app is one annoying exception here and it took a fair amount of manual setup (and a big scary persistent warning symbol in the system settings) to get it to actually provide meaningful security with a self-signed CA.

XMPP switches on mandatory encryption

Posted May 23, 2014 11:14 UTC (Fri) by bangert (subscriber, #28342) [Link] (1 responses)

or you could use a DNS service which does indeed support TLSA. Be sure to let your current provider know, why you dumped them...

XMPP switches on mandatory encryption

Posted May 30, 2014 20:12 UTC (Fri) by Klavs (guest, #10563) [Link]

let me recommend gratisdns.dk - dns servers all over europe - free (as in cost), and supports DNSSEC, DANE etc.

XMPP switches on mandatory encryption

Posted Jun 2, 2014 15:50 UTC (Mon) by jch (guest, #51929) [Link] (1 responses)

> my DNS provider (OVH) is crippled and doesn't allow [DANE]

If you're using a dedicated OVH server, why are you using their DNS? In my experience, OVH give you cheap, well-connected and reasonably reliable servers (in the sense that they get replaced quickly when they break, I hope you had backups), but their services are not very useful -- they probably expect you to roll your own.

So apt-get install bind, point your NS at your server, and be done with it. I don't recall if OVH are willing to act as secondary, but for most applications secondaries are not really a hard requirement (and if you really need a secondary, you'll want it to be somewhere else than on OVH's network).

(I'm more annoyed about their IPv6 infrastructure -- a single /64 per server that is not routed, so you need to proxy-ND in order to do anything out of the ordinary.)

XMPP switches on mandatory encryption

Posted Jun 2, 2014 21:54 UTC (Mon) by flussence (guest, #85566) [Link]

Thanks for the prod in the right direction, they do allow specifying self-hosted DNS servers so I'll give it a shot (eventually).

The main reason I've stuck with their hosted offering for this long is that the basics were "good enough", and they've got a handy dyndns mechanism already set up. I was too lazy at the time to reimplement it myself. :)