-
moparisthebest
"authenticated at the HTTP layer" yeesh I don't think I want to know...
-
Link Mauve
Probably like MastodonPub.
-
Maranda[x]
> SMTP doesn't authenticate certificates at all by default You'd be surprised, a very few of 'em do MTA-STS too
-
Maranda[x]
Since STARTTLS is still the way
-
moparisthebest
a few of them do DANE too
-
moparisthebest
wonder which is more widespread at this point
-
rob
I do mta-sts
-
moparisthebest
I've done DANE for years, almost since the beginning, haven't tried this lesser MTA-STS business yet :)
-
Maranda[x]
Holger: Matrix federation does need a valid cert to work on the termination, and it also employes an additional checksum validation on the request to avoid tampering in between (which happily often breaks reverse proxies, and requires additional configuration)
-
Holger
Maranda[x], yeah but (as per the cited spec) it doesn't need a _client_ cert right?
-
moparisthebest
how does it validate incoming requests without a (client) cert ?
-
Maranda[x]
Usually REQs are signed using generated ed25519 based keys but the mechanism sorta lapses me tbh
-
Maranda
The same should be done for both CS and SS iirc but that's not One aspect I dwelved into tbh✎ -
Maranda
The same should be done for both CS and SS iirc but that's not One aspect I dwelved into ✏
-
rob
> I've done DANE for years, almost since the beginning, haven't tried this lesser MTA-STS business yet :) I should get around to setting up dane
-
moparisthebest
Maranda, so they (poorly) re-invented TLS client certs ? :/
-
moparisthebest
don't get me wrong, validating incoming connections is a nightmare but I don't think there's a better way without reinventing the wheel
-
croax
Back to dialback!
-
Holger
Not everyone has the expertise required to reinvent authentication of incoming connections in such an elegant and straightforward way as we did.
-
Holger
Ok the SMTP guys were wise enough not to open this can of worms in the first place.
-
Holger
https://jabber.fu-berlin.de/share/holger/08l5cWGfiqj4h5vU/never-try.jpg
-
croax
😅 hehe. Nonetheless, I guess it was wise enough to rely on challenges and IPs rather than DNS records when DNSSEC was not so popular
-
Maranda
moparisthebest: tbh most of Matrix is token based anyways, so session authentication isn't exactly its strong point, to cope with that they added additional verification mechanisms (e.g. cross signing) but still... 🤷
-
moparisthebest
ah yes, gotta love a pile-o-hacks-on-top-of-hacks >_> <_<
-
Maranda
If you ever manage to hijack a token you basically gain access to the account period