-
seantodd
@version chat.seantodd.co.uk
-
Echo1
seantodd: chat.seantodd.co.uk is running Prosody version trunk nightly build 1158 (2019-10-20, cb9755d7a36e) on Linux
-
seantodd
@contact chat.seantodd.co.uk
-
seantodd
Hmm, does the bot have a command for pulling contact details? I'm just trying to make sure my server is user-friendly before pushing it to wider people.
-
jonas’
07:42:52 jonas’> !contact chat.seantodd.co.uk 07:42:55 foorl> jonas’: contact for chat.seantodd.co.uk: abuse: <mailto:abuse@seantodd.co.uk>, <xmpp:seantodd@chat.seantodd.co.uk> admin: <mailto:admin@seantodd.co.uk>, <xmpp:seantodd@chat.seantodd.co.uk> support: <mailto:support@seantodd.co.uk>, <xmpp:seantodd@chat.seantodd.co.uk>
-
jonas’
sgtm
-
jonas’
make sure you can receive messages from strangers on seantodd@chat.seantodd.co.uk
-
Link Mauve
seantodd, also, any reason you use this chat. subdomain? It might be nicer to have both your email and your XMPP addresses match.
-
seantodd
I believe I can! Its set in my client.
-
seantodd
And Link, it's a legacy domain. I'm looking to migrate soon-ish.
-
Link Mauve
Ok.
-
seantodd
Thanks for the assistance though peeps!
-
jonas’
seantodd, migrating is a pain in the a**
-
jonas’
you want to do this as early as possible
-
seantodd
jonas’: agreed. I'm considering just burning and reinitialising my entire chat stack. It'll give me chance to re-do my DNS entries too.
-
seantodd
jonas’: there aren't enough users to require a migration right now.
-
Ge0rG
Is there any info on which XMPP clients do/don't support ECDSA server certs?
-
404.city
Ge0rG, yaxIM✎ -
404.city
Ge0rG, yaxIM don't support. All other support ✏
-
perflyst
Ge0rG: when dane in yaxim? :) i saw recently that aTalk supports it
-
Licaon_Kter
perflyst: if we go by what atalk supports yaxim/conversations/xabber should just close and go home Yet...
-
perflyst
nah, aTalk has 99% features but bad UI
-
Licaon_Kter
_I've got 99 features but a user ain't one_
-
Ge0rG
404.city: you mean yax.im the server, not yaxim the client, right?
-
Ge0rG
perflyst: DANE? Needs to come from Smack.
-
404.city
Ge0rG, I mean the client YaxIM, not the server yax.im
-
Ge0rG
404.city: the client is yaxim, all lowercase ;)
-
Ge0rG
404.city: so you tell me yaxim won't connect to a server with an ECDSA cert? Do you have an error message?
-
404.city
Ge0rG, I have no other information, except that the yaxim client does not connect to 404.city. The most likely reason is an ECC certificate
-
Ge0rG
404.city: thanks for reporting it. I'll investigate.
-
Ge0rG
However, yaxim is not doing anything special, so it is probably heavily dependent on the Android version.
-
404.city
Ge0rG, Is Google's quantum computer hacking RSA?
-
Ge0rG
404.city: NSA has hacked DSA
-
Ge0rG
404.city: I've just logged in from yaxim to 404.city
-
Ge0rG
the only thing that doesn't work is MUC search, because it needs s2s to yax.im
-
404.city
Ge0rG, I love when mistakes disappear, without any action
-
Ge0rG
404.city: I hate it. Because they don't really disappear, they will come back later and bite you
-
Ge0rG
404.city: I'll probably reconsider the deactivation of ECDSA handshakes on yax.im, which will then restore direct connectivity to 404.city
-
Licaon_Kter
Wasn't ECDSA using some messed up primes or smth?
-
404.city
Licaon_Kter, Yes, they used to. RSA also uses. Lets Encrypt also followed NSA orders.
-
Licaon_Kter
U trolling now or just fud as usual?
-
404.city
If we talk about protecting the CA from the NSA, then it is complete crap, but this complete crap works well against third countries.
-
404.city
Licaon_Kter, No, this is not trolling. There are facts exist.
-
404.city
Example: https://xmpp.net/result.php?domain=yax.im&type=server ECDHE-RSA . What a mess, this is an ECC certificate))
-
404.city
I did not find evidence with Lets Encrypt, but very often there are rumors that Lets issued fake certificates for hacking Arabs.
-
Ge0rG
Licaon_Kter: ECDSA is technically flawed, because it's neigh impossible to implement correctly
-
Ge0rG
https://minerva.crocs.fi.muni.cz/ is the last one in a series of practical attacks against ECDSA
-
Ge0rG
the most embarassing one, however, is this: https://medium.com/asecuritysite-when-bob-met-alice/not-playing-randomly-the-sony-ps3-and-bitcoin-crypto-hacks-c1fe92bea9bc
-
404.city
Ge0rG, In practice, you can implement an attack on any certificate if you are CA
-
Ge0rG
404.city: that's wrong. You can implement an attack on any *domain* if you are a CA
-
Ge0rG
404.city: however, with Certificate Transparency and HSTS it's getting increasingly harder.
-
404.city
CA centers are completely subordinate to the governments of the countries where their location. RSA and ECC certificates are equally unreliable against CA attacks. Recently, there has been a massive transition to ECC certificates, because they are more resistant to cracking by quantum computers. RSA has a maximum bit rate of 4096 bit. 512 bit ECC equivalent to 16,000 bit RSA
-
perflyst
404.city: so everyone should self sign again?
-
perflyst
if you dont like CAs as you think they are gov spy companies, what about your manifesto to distrust everyone else https://github.com/E-404/Manifestos/blob/master/1.md ?
-
Ge0rG
404.city: what you have said has nothing to do what I asked about.
-
404.city
>perflyst: 404.city: so everyone should self sign again? To solve these problems, there is e2e encryption
-
Ge0rG
I'm still interested in knowing which clients I'll cut off by switching from an RSA cert to ECDSA
-
Ge0rG
apparently, Android 4.1 is required for ECDSA support
-
Ge0rG
But I'm sure there are others that will get cut off
-
404.city
>perflyst: if you dont like CAs as you think they are gov spy companies, what about your manifesto to distrust everyone else Self-signed certificates are the worst option. Self-signed certificates, this is a complete lack of encryption. There is not always a choice between the best and the worst. Sometimes there is a choice between bad and very bad. CAs protect against hacking from third countries where CA is not located. Self-Signing Won't Protect From Public Wi-Fi
-
Ge0rG
Sigh.
-
404.city
Ge0rG: Most client and servers support ECC. The transition is invisible to most users
-
404.city
Ge0rG, Your server has many users with a yaxim client, so you should pay attention only to this client
-
Link Mauve
404.city, I remember when some Ejabberd admins switched to ECC certificates, it broke s2s with my servers.
-
Link Mauve
This has probably been fixed since then, but not everyone updates as quickly.
-
Ge0rG
Link Mauve: do you have s2s to 404.city?
-
Link Mauve
Yes.
-
Link Mauve
I’m talking about multiple years ago.
-
Ge0rG
404.city [19:08]: > Ge0rG, Your server has many users with a yaxim client, so you should pay attention only to this client Yes, it's a great idea to ignore all users not running a certain unpopular implementation.
-
404.city
Link Mauve, Some administrators manually list ciphers and forget to mention RSA when using ECC and vice versa. I encountered the same problem when using RSA. However, I was persuaded to switch to ECC. The reason is that supposedly CA will soon switch to ECC, which makes the long-term use of RSA meaningless.
-
Link Mauve
Ge0rG, but there are still people starting to run Prosody 0.9.7 today, with an equally outdated software stack.
-
Ge0rG
Link Mauve: ITYM Debian
-
Link Mauve
You read my mind!
-
404.city
Ge0rG, Possible problems may occur with users with Windows XP
-
Ge0rG
404.city: do you have a list of clients that do / don't support ECDSA? Did you see a change in numbers when you switched?
-
404.city
Ge0rG, I did not notice any changes in the number of connections, but it is worth noting that 404.city b did not allow users with Windows XP to connect before.
-
Ge0rG
Does XP support TLS 1+?
-
404.city
Ge0rG, Only user with yaxim and UWPX reported connection problems. Currently there are user connections with new version UXPX.
-
Ge0rG
404.city: do you still have contact to the yaxim user? I'd appreciate a bug report.
-
404.city
Ge0rG, I don’t know, but a lot of people (10%) fell off after receiving a 100% RSA certificate at xmpp.net They all reported that they have Windows XP
-
404.city
Ge0rG, I don’t remember who this man was. It was a long time ago.I will forward the yaxim errors to you.
-
Ge0rG
https://blog.intothesymmetry.com/2019/08/side-channel-timing-attacks-against.html it'll never stop
-
Ge0rG
404.city: thanks!