Daniel Gultsch

2 months ago

Daniel Gultsch
2 months ago

The #XMPP community should move away from STARTTLS.
· It's slower than direct TLS.
· It adds complexity and increases the attack surface.
· With SNI & ALPN widely deployed and encryption now mandatory, it no longer serves a purpose.

#xmpp

𝔻𝕚𝕖𝕘𝕠 🦝🧑🏻‍💻🍕 likes this.

in reply to Daniel Gultsch

Markus Brückner

in reply to Daniel Gultsch 2 months ago

while I do agree with you for most of it, there's one thing I'd like to consider: sometimes the "normal" port for a protocol is open, whereas the "secure" one is closed (think "hotel wifi"). Granted, I've only encountered this with SMTP Submission so far and XMPP would probably be blocked completely in such environments.

in reply to Daniel Gultsch

Inuit

in reply to Daniel Gultsch 2 months ago

Hello @daniel
Will all clients automatically connect to direct TLS at port 5223 if I close port 5222 on my server ?

Also for s2s will all servers establish connections at port 5270 if I close 5269 ?

@Daniel Gultsch

in reply to Daniel Gultsch

Bhante Subharo

in reply to Daniel Gultsch 2 months ago

the two worst "footguns" I encountered when setting up #Prosody 0.12.3 in #Debian 12 were - you're not going to like this - enabling TLS, not STARTTLS (ruins upload.sampledomain.com capability), and trying to use SRV records (made an honest attempt, couldn't get it to fly).

These "footguns" wasted two brutally unenjoyable days of my life, until I scaled back these progressive wishes.

#XMPP

#xmpp #debian #prosody

This entry was edited (2 months ago)

⇧

Daniel Gultsch

Daniel Gultsch

Daniel Gultsch 2 months ago • •

Markus Brückner

Inuit

Bhante Subharo

Daniel Gultsch
2 months ago