Heute ist Testbetrieb für rein verschlüsselte Server Verbindungen – ab morgen lassen wir wieder Verbindungen ohne SSL/TLS zu!
Bitte testet eure Server/Betreiber unter xmpp.net, ob diese euch ausreichend Sicherheit bieten!
Nachfolgend das Statement der XMPP Network Admins/ML:
A Public Statement Regarding Ubiquitous Encryption on the XMPP NetworkDate: 2013-12-16Version: 0.5We, as operators of public services and developers of softwareprograms that use the XMPP standard for instant messaging andreal-time communication, commit to establishing ubiquitous encryptionover our network on May 19, 2014.Jabber/XMPP technologies were first released on January 4, 1999, byJeremie Miller. Since then, channel encryption using Secure SocketsLayer (SSL) and Transport Layer Security (TLS) has been optional onthe Jabber/XMPP network. Out of respect for the users of our softwareand services, we believe it is time to make such encryption mandatory.Therefore we commit to the following policies, consistent with theIETF Internet-Draft “Use of Transport Layer Security in XMPP”<https://datatracker.ietf.org/doc/draft-saintandre-xmpp-tls/>.For software implementations:o support the STARTTLS method in XMPP as specified in RFC 6120,including mandatory-to-implement cipher suites and certificatevalidation consistent with RFC 6125o prefer the latest version of TLS (TLS 1.2), but provide aconfiguration option to negotiate TLS 1.1, TLS 1.0, or SSLv3for backward compatibility with existing deployed softwareo disable support for SSLv2o provide configuration options to require channel encryption forclient-to-server and server-to-server connectionso provide configuration options to prefer or require ciphersuites that enable forward secrecyo prefer authenticated encryption (via digital certificates) forserver-to-server connections; if authenticated encryption is notavailable, provide a configuration option to allow fallback tounauthenticated encryption with identity verification using theXMPP Server Dialback extension (XEP-0220)o ideally, provide user or administrative interfaces showing:o if a given client-to-server or server-to-server connectionis encrypted, authenticated, or botho the version of TLS and the cipher suite in useo details about a server’s certificateo a warning about any changes to a server’s certificateFor service deployments:o require the use of TLS for both client-to-server andserver-to-server connections, preferably with authentication(RFC 6125) but as a fallback using unauthenticated encryptionin the form of TLS plus Server Dialbacko prefer or require TLS cipher suites that enable forward secrecyo if possible, deploy certificates issued by well-known andwidely-deployed certification authorities (it is known thatmulti-tenanted hosting services are unable to obtain ormanage certificates for hosted domains)The schedule we agree to is:January 4, 2014 – first test day requiring encryptionFebruary 22, 2014 – second test dayMarch 22, 2014 – third test dayApril 19, 2014 – fourth test dayMay 19, 2014 – permanent upgrade to encrypted network, coincidingwith Open Discussion Day <http://opendiscussionday.org/>This commitment to encrypted connections is only the first steptoward more secure communication using XMPP, and does not obviatethe need for technologies supporting end-to-end encryption (such asOff-the-Record Messaging or OTR), strong authentication, channelbinding, secure DNS, server identity checking, and secure servicedelegation. Although we have worked to implement and deploy suchtechnologies and will continue to do so, we believe that encryptingthe traffic on the XMPP network is a necessary precondition tooffering further security improvements.
Quelle: https://github.com