[Psi-Devel] "Remember" option on certificate warning
Jesse Thompson
jesse.thompson at doit.wisc.edu
Mon Feb 23 10:11:08 PST 2009
Kevin Smith wrote:
>> What
>> about the suggestion that SRV names be checked against the server
>> cert? That way you can host 100's of domains with the _same_ SRV
>> records and a single cert.
>
> Unfortunately, that then ties TLS security into DNS security.
Then I think that there has to be a solution for the DNS security issue
that doesn't make it impossible for the XMPP operators to manage their
service.
The current situation of requiring that TLS solve the DNS issue has
caused both the TLS and DNS issues to be ignored.
* hosting providers such as us, Google, and others, are using
mismatched certificates. So, in Psi, you have to ignore all SSL errors,
which leaves the users open to DNS forgery, and which TLS will not even
warn about.
* some other clients (such as Pidgin) don't even bother to verify that
the certificate matches the domain. I don't know why they do this, but
I would bet that it has something to do with the number of services that
have mismatched certificates.
* I would venture to guess that many services aren't even implementing
TLS because of all of this.
Jesse
--
Jesse Thompson
Division of Information Technology, University of Wisconsin-Madison
Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.affinix.com/pipermail/psi-devel-affinix.com/attachments/20090223/aa7d47ea/attachment-0001.bin>
More information about the Psi-Devel
mailing list