[ejabberd] [Operators] SSL certificates / private CAs / CACert issue

Ludovic BOCQUET lbxmpp at live.com
Fri Mar 22 23:07:51 MSK 2013


Hi all,

A little note but very important: 5223 port has depreciated since 2004.

Regards,

BOCQUET Ludovic
An XSF member
XMPP Standards Foundation
http://xmpp.org/

Le 21/03/2013 01:38, Peter Viskup a écrit :
> On 12/17/2012 12:13 AM, Peter Viskup wrote:
>> I do understand the role of SSL and CAs well.
>> Let me share some words of one of the CACerts people (from the
>> mailing thread I post in the beginning):
>> "One of the problems with CAcert: They sign certificates without any
>>  assurance of the issuer - the same, what StartCom does for class 1
>>  certificates, but StartCom is usually trusted by all major web
>> browsers.
>>  If CAcert would offer certificate signing *only* for assured members,
>>  this would already improve security and trustworthyness, since then you
>>  can be sure, that a CAcert signed certificate is issued by a *known*
>>  person and not just by someone who has control over the mail server
>> of a
>>  domain."
>>
>> I do understand that list of trusted CAs could lead to "higher"
>> security, but if we (XMPP operators) do accept CACert or StartCom
>> then there could be no issue with accepting other CAs. What rules
>> were followed by accepting these CAs?
>>
>> The other case is:
>> you told I am ignorant because I do not follow some standard security
>> advises and using our own CA for SSL/TLS on our public services. I
>> fully agree with the security standard and best-practices, but
>> question is - how many servers do use certificates which are not
>> signed by trusted CA in XMPP (or SMTP) world. And if the number is
>> higher than 1-10-20-40-100-1000-Idon'tknowhowmany - aren't you the
>> ignorant of the reality?
>> This is the reason of the discussion - recognize how many servers are
>> using such certificates and/or certificates of CACert or other
>> low-cost/problematic CAs (StartCom, [compromised]
>> Verisign?,[compromised] whatever-else).
>> ...and to come with some consensus regarding this issues on the end.
>>
>> Anyway the CA world in general is in crisis and there are many voices
>> calling for something which will solve all SPOFs in this design. This
>> is another grey point on the CA design which should be taken in mind.
>>
>> These are links to both threads:
>> [1] ejabberd
>> http://lists.jabber.ru/pipermail/ejabberd/2012-December/007894.html
>> [2] XMPP operators
>> http://mail.jabber.org/pipermail/operators/2012-December/001528.html
>>
>> -- 
>> Peter Viskup
>>
>
> Dear all,
> let me share the list of XMPP servers which use 'not secure' SSL certs
> on 5223 port:
>
> bbs.docksud.com.ar CN=bbs.docksud.com.ar
> jab.undernet.cz CN=Undernet.cz
> jabber.dn.ua CN=ejabberd
> jabber.freenet.de CN=USERTrust
> jabber.od.ua CN=Mickael
> jabber.org.by CN=jabber.org.by
> jabber.sk CN=TECHTIS
> jabber.stammtisch.it CN=jabber.stammtisch.it
> jabber.ulm.ccc.de CN=jabber.ulm.ccc.de
> jabber.workaround.org CN=jabber.workaround.org
> jabber.yorktondigital.ca CN=John
> jabberpl.org CN=Certification
> jid.pl CN=jid.pl
> jis.mit.edu CN=ejabberd
> phcn.de CN=phcn.de
> silper.cz CN=Frenky
> tidesofwar.net CN=tidesofwar.net
> tigase.org CN=*.default
> tigase.org CN=default
> xmpp.org.ru CN=jabber.ttn.ru
>
> CN is common name of the issuer of that cert. I didn't performed
> deeper analysis. This is just not complete sight on the issue with the
> servers not using [CACert,StartSSL]-signed certs.
> I wasn't able to get the certs from all servers and filtered all with
> issuer of one of these "/CAcert|StartCom|CA Cert|Thawte|RapidSSL/".
> Checked 213 servers (list from jabberes.org or coccinella stats) and
> got SSL info on port 5223 from 94 servers only (openssl s_client) and
> 20 of them have installed 'wrong' certs.
> Hope this helped to see the reality a little (as it is not complete
> :-) ).
>
> Would be great to have a closer look on the reality with more
> information.
>
> Best regards,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3736 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20130322/6cdd72e8/attachment.bin>


More information about the ejabberd mailing list