[jitsi-dev] [libsrc-commits] master: Backports TLSUtils for smack [...]


#1

Hi Ingo,

but if we change this globally in CertificateService this will affect
all ssl sockets, isn't the SSLv... needed for https locations like
provisioning, https updates locations ... or I'm wrong?

SSLv3 should not be used anymore. Nowhere. Never again. It's >15 years old
and totally broken.

So no, you're not wrong, but it would actually be intended to be applied
everywhere. Might even be as simple as an additional argument in the
launcher executables/scripts.

Regards
damencho

Ingo

···

On 2014-10-21 01:32, Damian Minkov wrote:


#2

While I completely agree with this, we have no control over what people do
with their servers. Neither do our users. At least not necessarily. I am
concerned that ditching SSL might leave many users without a solution and
I'd rather have us avoid that.

Emil

···

On 20 Oct 2014 8:47 PM, "Ingo Bauersachs" <ingo@jitsi.org> wrote:

On 2014-10-21 01:32, Damian Minkov wrote:
> Hi Ingo,
>
> but if we change this globally in CertificateService this will affect
> all ssl sockets, isn't the SSLv... needed for https locations like
> provisioning, https updates locations ... or I'm wrong?

SSLv3 should not be used anymore. Nowhere. Never again. It's >15 years old
and totally broken.

So no, you're not wrong, but it would actually be intended to be applied
everywhere. Might even be as simple as an additional argument in the
launcher executables/scripts.


#3

Well, all the major service providers, hosters and browsers are disabling SSLv3 entirely these days. I don't see the danger in doing the same - on the contrary, it causes problems (as with Facebook now) and gives us a bad score on these TLS rating lists, giving in turn bad press.
(And the current state of Damian's patch disables SSLv3 entirely for XMPP anyway.)

Freundliche Grüsse,
Ingo Bauersachs

-- sent from my mobile

···

Le 21.10.2014 à 02:01, "Emil Ivov" <emcho@jitsi.org> a écrit :

On 20 Oct 2014 8:47 PM, "Ingo Bauersachs" <ingo@jitsi.org> wrote:
>
> On 2014-10-21 01:32, Damian Minkov wrote:
> > Hi Ingo,
> >
> > but if we change this globally in CertificateService this will affect
> > all ssl sockets, isn't the SSLv... needed for https locations like
> > provisioning, https updates locations ... or I'm wrong?
>
> SSLv3 should not be used anymore. Nowhere. Never again. It's >15 years old
> and totally broken.
>
> So no, you're not wrong, but it would actually be intended to be applied
> everywhere. Might even be as simple as an additional argument in the
> launcher executables/scripts.

While I completely agree with this, we have no control over what people do with their servers. Neither do our users. At least not necessarily. I am concerned that ditching SSL might leave many users without a solution and I'd rather have us avoid that.

Emil
_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#4

Well, all the major service providers, hosters and browsers are
disabling SSLv3 entirely these days. I don't see the danger in doing the
same - on the contrary, it causes problems (as with Facebook now) and
gives us a bad score on these TLS rating lists,giving in turn bad press.

The lists I know of are for servers. Do you have in mind one that's for clients?

(And the current state of Damian's patch disables SSLv3 entirely for
XMPP anyway.)

Yes. We agreed to do it that way yesterday morning before having this discussion.

Right now I'd like to understand exactly what the impact would be for other SSL based services.

Also: we must beat and punish users for wanting to use the wrong protocol until they drop dead is not a position I support.

Basically, if I decide that I want to use SSLv3 or even plain text to connect to my service, that's my decision and no one else gets a say in it. I am kind of annoyed by "You don't have the right to use that protocol" radicalism.

Emil

···

On 21.10.14, 03:54, Ingo Bauersachs wrote:

Freundliche Gr�sse,
Ingo Bauersachs

-- sent from my mobile

Le 21.10.2014 � 02:01, "Emil Ivov" <emcho@jitsi.org
<mailto:emcho@jitsi.org>> a �crit :

On 20 Oct 2014 8:47 PM, "Ingo Bauersachs" <ingo@jitsi.org >> <mailto:ingo@jitsi.org>> wrote:
>
> On 2014-10-21 01:32, Damian Minkov wrote:
> > Hi Ingo,
> >
> > but if we change this globally in CertificateService this will affect
> > all ssl sockets, isn't the SSLv... needed for https locations like
> > provisioning, https updates locations ... or I'm wrong?
>
> SSLv3 should not be used anymore. Nowhere. Never again. It's >15
years old
> and totally broken.
>
> So no, you're not wrong, but it would actually be intended to be applied
> everywhere. Might even be as simple as an additional argument in the
> launcher executables/scripts.

While I completely agree with this, we have no control over what
people do with their servers. Neither do our users. At least not
necessarily. I am concerned that ditching SSL might leave many users
without a solution and I'd rather have us avoid that.

Emil

_______________________________________________
dev mailing list
dev@jitsi.org <mailto:dev@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
https://jitsi.org


#5

[...]

(And the current state of Damian's patch disables SSLv3 entirely for
XMPP anyway.)

Yes. We agreed to do it that way yesterday morning before having this
discussion.

Right now I'd like to understand exactly what the impact would be for
other SSL based services.

Also: we must beat and punish users for wanting to use the wrong
protocol until they drop dead is not a position I support.

Basically, if I decide that I want to use SSLv3 or even plain text to
connect to my service, that's my decision and no one else gets a say
in it. I am kind of annoyed by "You don't have the right to use that
protocol" radicalism.

Small remark here ...
IIUC the issue with SSLv3 isn't about servers that *only* support SSLv3.
It is about the fact that during negotiation there is an option to
"downgrade" to a less secure option, such as SSLv3. This is misused to
guide clients into using SSLv3. The measures that are typically applied
are to ensure that SSLv3 isn't a valid (lower bound) option. So if we
need to make it configurable it would be to set a minimal protocol
version of TLSv1 (1.0) instead of SSLv3.

Also, in Chrome there is an option to renegotiate with same protocol
upon some kind of failure. More details can be found in this document by
Google:
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00#section-1
... but as I understand it this is not an option for us yet.

So we only punish users if SSLv3 also happens to be the best available
option.

I'm all with you on your point that one should be able to choose, but
the other side of the same coin is that most people will expect to be
secured by the best possible protocol and they shouldn't (without their
knowledge or consent) be manipulated into connecting instead using the
worst possible (broken) protocol.

Danny

···

On 21-10-14 11:00, Emil Ivov wrote:

Emil

Freundliche Gr�sse,
Ingo Bauersachs

-- sent from my mobile

Le 21.10.2014 � 02:01, "Emil Ivov" <emcho@jitsi.org
<mailto:emcho@jitsi.org>> a �crit :

On 20 Oct 2014 8:47 PM, "Ingo Bauersachs" <ingo@jitsi.org >>> <mailto:ingo@jitsi.org>> wrote:
>
> On 2014-10-21 01:32, Damian Minkov wrote:
> > Hi Ingo,
> >
> > but if we change this globally in CertificateService this will
affect
> > all ssl sockets, isn't the SSLv... needed for https locations like
> > provisioning, https updates locations ... or I'm wrong?
>
> SSLv3 should not be used anymore. Nowhere. Never again. It's >15
years old
> and totally broken.
>
> So no, you're not wrong, but it would actually be intended to be
applied
> everywhere. Might even be as simple as an additional argument in the
> launcher executables/scripts.

While I completely agree with this, we have no control over what
people do with their servers. Neither do our users. At least not
necessarily. I am concerned that ditching SSL might leave many users
without a solution and I'd rather have us avoid that.

Emil

_______________________________________________
dev mailing list
dev@jitsi.org <mailto:dev@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev