XMPP Service Operators - 2022-03-16


  1. moparisthebest

    "authenticated at the HTTP layer" yeesh I don't think I want to know...

  2. Link Mauve

    Probably like MastodonPub.

  3. Maranda[x]

    > SMTP doesn't authenticate certificates at all by default You'd be surprised, a very few of 'em do MTA-STS too

  4. Maranda[x]

    Since STARTTLS is still the way

  5. moparisthebest

    a few of them do DANE too

  6. moparisthebest

    wonder which is more widespread at this point

  7. rob

    I do mta-sts

  8. moparisthebest

    I've done DANE for years, almost since the beginning, haven't tried this lesser MTA-STS business yet :)

  9. Maranda[x]

    Holger: Matrix federation does need a valid cert to work on the termination, and it also employes an additional checksum validation on the request to avoid tampering in between (which happily often breaks reverse proxies, and requires additional configuration)

  10. Holger

    Maranda[x], yeah but (as per the cited spec) it doesn't need a _client_ cert right?

  11. moparisthebest

    how does it validate incoming requests without a (client) cert ?

  12. Maranda[x]

    Usually REQs are signed using generated ed25519 based keys but the mechanism sorta lapses me tbh

  13. Maranda

    The same should be done for both CS and SS iirc but that's not One aspect I dwelved into tbh

  14. Maranda

    The same should be done for both CS and SS iirc but that's not One aspect I dwelved into

  15. rob

    > I've done DANE for years, almost since the beginning, haven't tried this lesser MTA-STS business yet :) I should get around to setting up dane

  16. moparisthebest

    Maranda, so they (poorly) re-invented TLS client certs ? :/

  17. moparisthebest

    don't get me wrong, validating incoming connections is a nightmare but I don't think there's a better way without reinventing the wheel

  18. croax

    Back to dialback!

  19. Holger

    Not everyone has the expertise required to reinvent authentication of incoming connections in such an elegant and straightforward way as we did.

  20. Holger

    Ok the SMTP guys were wise enough not to open this can of worms in the first place.

  21. Holger

    https://jabber.fu-berlin.de/share/holger/08l5cWGfiqj4h5vU/never-try.jpg

  22. croax

    😅 hehe. Nonetheless, I guess it was wise enough to rely on challenges and IPs rather than DNS records when DNSSEC was not so popular

  23. Maranda

    moparisthebest: tbh most of Matrix is token based anyways, so session authentication isn't exactly its strong point, to cope with that they added additional verification mechanisms (e.g. cross signing) but still... 🤷

  24. moparisthebest

    ah yes, gotta love a pile-o-hacks-on-top-of-hacks >_> <_<

  25. Maranda

    If you ever manage to hijack a token you basically gain access to the account period