XMPP Service Operators - 2025-05-09

  1. jonas-l

    > Wow, there's four servers still using RSA ciphersuites instead of AES That sounds useless and your snippet does not show that

  2. jonas-l

    Actually, it's nice (although probably useless with TLS) that it's AEC in GCM mode and (EC)DHE with RSA only for signing

  3. jonas-l

    Actually, it's nice (although probably useless with TLS) that it's AEC in GCM mode and (good even with TLS) (EC)DHE with RSA only for signing

  4. jonas-l

    Actually I once brought up during an interview the question whether every TLS segment with AES in GCM mode uses an GCM authentication tag an/or SHA. I don't know the answer and the interviewer didn't know either.

  5. Martin

    > Operators of these servers you may want to consider updating your TLS implementation library. If this is intentional could you explain why your using these odd ciphersuites? Quicksy.im also doesn't support TLSv1.3. I wonder why as afair Daniel said it runs on debian stable and even oldstable (maybe even oldoldstable?) can do TLSv1.3.

  6. erebion

    > matrix server discussion, in an xmpp server muc > if i had a penny Where else would you go and ask for help when it breaks? :p

  7. erebion

    Did that a couple times myself in a MUC just for that.

  8. tom

    > Actually I once brought up during an interview the question whether every TLS segment with AES in GCM mode uses an GCM authentication tag an/or SHA. I don't know the answer and the interviewer didn't know either. Because RSA is slow and requires massive key sizes to still be secure. We would have switched away from it back in the 90s had the NSA not of backdoored dual_ec_drbg scaring everyone away from elliptic curve cryptography for roughly a decade or two

  9. tom

    > Actually I once brought up during an interview the question whether every TLS segment with AES in GCM mode uses an GCM authentication tag an/or SHA. I don't know the answer and the interviewer didn't know either. Because RSA is slow and requires massive key sizes to still be secure. We would have switched away from it back in the 2000s had the NSA not of backdoored dual_ec_drbg scaring everyone away from elliptic curve cryptography for roughly a decade or two

  10. tom

    The ciphersuite matrix is using though is considered weak. There are several vulnerabilities from it, most of which are denial of service vectors but one being information leakage in a edgecase due to how their using DHE

  11. jonas-l

    >> Actually I once brought up during an interview the question whether every TLS segment with AES in GCM mode uses an GCM authentication tag an/or SHA. I don't know the answer and the interviewer didn't know either. > Because RSA is slow and requires massive key sizes to still be secure. We would have switched away from it back in the 2000s had the NSA not of backdoored dual_ec_drbg scaring everyone away from elliptic curve cryptography for roughly a decade or two The question was absolutely unrelated to the asymmetric cryptography and thus RSA

  12. tom

    Just a heads up, I've been having to implement additional filtering both at the application level and network level due to ddos attacks from AI companies.

  13. tom

    The filters I'm setting up are very conservative and shouldn't have false positives but just in case a real person is caught in the crossfire you can report it here.

  14. tom

    I'm probably going to have to block China.

  15. tom

    I don't think I have any legitimate traffic at all coming from China.

  16. tom

    90%+ of the attacks are also coming from China

  17. Kris

    They will switch to IPs from Sychelles and other places if you block them.

  18. Kris

    Country level block is ineffective and mostly hurts legitimate users

  19. tom

    I don't have any legitimate china users.

  20. tom

    btw, I just implemented a whole bunch of additional checks at my network perimeter. If they have affected any legit users speak up now.

  21. tom

    I also had to block AS45102

  22. tom

    Anybody using chinese cloud servers from Alibaba for a LEGITIMATE & legal purpose please speak up now.

  23. tom

    > Country level block is ineffective and mostly hurts legitimate users Kris, Untrue. See https://www.spamhaus.org/blocklists/do-not-route-or-peer/. It's very useful for an ISP to use these lists as part of their infrastructure protection service to protect their users.

  24. tom

    There are some networks that are setup explicitly for cybercrime, Or just do not care about handling abuse on their end at all and are bad stewards.

  25. tom

    It makes sense to drop or refuse to route these nets & ASNs in those cases.

  26. worlio.com

    > Country level block is ineffective and mostly hurts legitimate users In the majority of cases, you cannot obtain legitimate users from China.

  27. hobocanid

    In my experience a connection willing to circumvent region blocking is almost always a real user

  28. hobocanid

    and I can't imagine chinese internet users even finding let alone being interested in a lot of the services we host here

  29. hobocanid

    they already have their own walled garden