fsebugoutzone.org:9999

       Post Ab27dPaAMzzQDZGzzs by Monal@fosstodon.org
 (DIR) More posts by Monal@fosstodon.org
 (DIR) Post #AazVpDcQUUeu0wc5pY by daniel@gultsch.social
       2023-10-21T09:52:23Z
       
       0 likes, 0 repeats
       
       Yesterday we all had a good laugh at the BND intern who forgot to renew a certificate and single handedly exposed an entire surveillance operation, but today we must make developing and deploying Channel Binding our top priority.
       
 (DIR) Post #AazitGDo3PaoeKM5ei by ruff@social.librem.one
       2023-10-21T12:18:44Z
       
       0 likes, 0 repeats
       
       @daniel I thought sasl-scram-plus is supported by majority client/server implementaitons?
       
 (DIR) Post #AazjoEwbTa4xC4TjqS by daniel@gultsch.social
       2023-10-21T12:29:04Z
       
       0 likes, 0 repeats
       
       @ruff It’s complicated. When the ecosystem migrated from TLSv1.2 to TLSv1.3 we lost a commonly used binding mechanism and had to invent a new one. The specification for this has been published only about a year ago¹.And because there are multiple channel binding mechanisms (endpoint and unique or exporter respectively) we need a negotiation mechanism. The spec for this has also only been published recently².¹: https://datatracker.ietf.org/doc/rfc9266/²: https://xmpp.org/extensions/xep-0440.html
       
 (DIR) Post #AazmWs1jjDMZ3aHxrc by ruff@social.librem.one
       2023-10-21T12:59:33Z
       
       0 likes, 0 repeats
       
       @daniel well yes, I&#39;m aware about that problem, but I think the best we can do is just restrict that a rigid rules (1.2=cert+uniq, 1.3=cert+exporter) as otherwise you need to bring in signing and verification into stream feature negotiation which are usually working at different layers and not always can use each other&#39;s data.
       
 (DIR) Post #Ab1jfjpBgOfOg3sM3k by notclacke@fedia.social
       2023-10-22T10:58:52.753Z
       
       0 likes, 0 repeats
       
       @daniel@gultsch.social I didn&#39;t. Is there a link to a good article?
       
 (DIR) Post #Ab1jfvpz1GQvw0L9xw by daniel@gultsch.social
       2023-10-22T11:36:57Z
       
       0 likes, 0 repeats
       
       @notclacke · https://notes.valdikss.org.ru/jabber.ru-mitm/· https://snikket.org/blog/on-the-jabber-ru-mitm/
       
 (DIR) Post #Ab27dPaAMzzQDZGzzs by Monal@fosstodon.org
       2023-10-22T16:05:27Z
       
       0 likes, 0 repeats
       
       @daniel @notclacke Don&#39;t forget SSDP, see section 3 of XEP-0474 [1] for the attacks it mitigates. This also shows why channel-binding is complicated.[1] https://xmpp.org/extensions/xep-0474.html