[jitsi-users] jit.si server security ratings


#1

Hello,

We have upgraded the xmpp server on jit.si and now we have an A rating on
xmppnet:

https://xmpp.net/result.php?domain=jit.si&type=client
https://xmpp.net/result.php?domain=jit.si&type=server

Enjoy!

···

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#2

Hi Yasen,

Hello,

We have upgraded the xmpp server on jit.si and now we have an A rating on
xmppnet:

https://xmpp.net/result.php?domain=jit.si&type=server

Just curious why you decided to leave SSlv3 enabled.

···

On 9 March 2015 at 06:45, Yasen Pramatarov <yasen@bluejimp.com> wrote:

Enjoy!

--
-------
inum: 883510009027723
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si


#3

interoperability

···

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie <jungleboogie0@gmail.com> wrote:

Just curious why you decided to leave SSlv3 enabled.

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#4

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

···

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov <yasen@bluejimp.com> wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie <jungleboogie0@gmail.com> > wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#5

Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy and security goals of a project.

···

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov <yasen@bluejimp.com> >wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie ><jungleboogie0@gmail.com> >> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#6

If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.

Emil

···

On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> wrote:

Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy and security goals of a project.

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov <yasen@bluejimp.com> >>wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >><jungleboogie0@gmail.com> >>> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#7

... I wrote you about that 3 month ago on the list. And reminded you two times since then. Feel free to check the archives.

···

Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.

Emil

On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> wrote:

Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy

and security goals of a project.

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov ><yasen@bluejimp.com> >>>wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>><jungleboogie0@gmail.com> >>>> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#8

You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.

Emil

···

On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:

... I wrote you about that 3 month ago on the list. And reminded you two times since then. Feel free to check the archives.

Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.

Emil

On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> wrote:

Leaving SSLv3 on in 2015 for "interop." says a lot about the privacy

and security goals of a project.

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >><yasen@bluejimp.com> >>>>wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>><jungleboogie0@gmail.com> >>>>> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#9

Were did anyone say it is going to be disabled (finally)?

All I got was: "still on" - "interop" - "oh, probably we should remove it".

Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too :slight_smile:

···

Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.

Emil

On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:

... I wrote you about that 3 month ago on the list. And reminded you

two times since then. Feel free to check the archives.

Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.

Emil

On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> >wrote:

Leaving SSLv3 on in 2015 for "interop." says a lot about the

privacy

and security goals of a project.

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>><yasen@bluejimp.com> >>>>>wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>><jungleboogie0@gmail.com> >>>>>> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#10

Hello Axel,

it is great that you show some engagement concerning improvement of security.
However, do you really think that you are providing help to this project by using the online test of xmpp.net and then being reproachful? The tonality you are using is not really encouraging.

Thomas

Were did anyone say it is going to be disabled (finally)?

All I got was: "still on" - "interop" - "oh, probably we should remove it".

Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too :slight_smile:

···

Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de>:

Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.

Emil

On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:

... I wrote you about that 3 month ago on the list. And reminded you

two times since then. Feel free to check the archives.

Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.

Emil

On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> > wrote:

Leaving SSLv3 on in 2015 for "interop." says a lot about the

privacy

and security goals of a project.

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>> <yasen@bluejimp.com> >>>>> wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>> <jungleboogie0@gmail.com> >>>>>> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#11

Hey Thomas,

no hard feelings about that - my statement was meant to provoke so
someone finally change the few lines in the config.

The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)

Since a lot of your users use the service at jit.si, a weakened setup
there weakens the overall security of the software and puts your users
at risk.

First report of mine (in a very encouraging language :slight_smile: ):
  January, 6th
  -> dead end after Jan 9th

Reminder:
  February, 12th
  -> no response

I am sorry for the harsh language - a one-word answer from Yasen after
two reminders on the topic is simply not ideal (and I was responding to
that). But pls try to understand my argument, that putting a little more
effort in easy-to-change configs is actually necessary.

Axel

···

On 10.03.2015 11:58, Thomas Odorfer wrote:

Hello Axel,

it is great that you show some engagement concerning improvement of security.
However, do you really think that you are providing help to this project by using the online test of xmpp.net and then being reproachful? The tonality you are using is not really encouraging.

Thomas

Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de>:

Were did anyone say it is going to be disabled (finally)?

All I got was: "still on" - "interop" - "oh, probably we should remove it".

Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too :slight_smile:

Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.

Emil

On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:

... I wrote you about that 3 month ago on the list. And reminded you

two times since then. Feel free to check the archives.

Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.

Emil

On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> >> wrote:

Leaving SSLv3 on in 2015 for "interop." says a lot about the

privacy

and security goals of a project.

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>>> <yasen@bluejimp.com> >>>>>> wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>>> <jungleboogie0@gmail.com> >>>>>>> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#12

Axel,

We'd be happy to have your patch for the config lines you mention!

Emil

···

On Tuesday, March 10, 2015, Axel Hübl <axel.huebl@web.de> wrote:

Hey Thomas,

no hard feelings about that - my statement was meant to provoke so
someone finally change the few lines in the config.

The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)

Since a lot of your users use the service at jit.si, a weakened setup
there weakens the overall security of the software and puts your users
at risk.

First report of mine (in a very encouraging language :slight_smile: ):
  January, 6th
  -> dead end after Jan 9th

Reminder:
  February, 12th
  -> no response

I am sorry for the harsh language - a one-word answer from Yasen after
two reminders on the topic is simply not ideal (and I was responding to
that). But pls try to understand my argument, that putting a little more
effort in easy-to-change configs is actually necessary.

Axel

On 10.03.2015 11:58, Thomas Odorfer wrote:
> Hello Axel,
>
> it is great that you show some engagement concerning improvement of
security.
> However, do you really think that you are providing help to this project
by using the online test of xmpp.net and then being reproachful? The
tonality you are using is not really encouraging.
>
> Thomas
>
>
> Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de
<javascript:;>>:
>
> Were did anyone say it is going to be disabled (finally)?
>
> All I got was: "still on" - "interop" - "oh, probably we should remove
it".
>
> Yes, you should. Months ago when I wrote you about it. Also: xmpp.net
still shows cert chain issues. Should be fixed, too :slight_smile:
>
> Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org
<javascript:;>>:
>> You also wrote 21 minutes ago after I acknowledged we will disable it
>> ... so not sure what the point of that was.
>>
>> Emil
>>
>> On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> wrote:
>>> ... I wrote you about that 3 month ago on the list. And reminded you
>> two times since then. Feel free to check the archives.
>>>
>>> Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org
<javascript:;>>:
>>>> If that is true, then hammering on the subject right after we have
>>>> stated we will disable it says a lot about a person.
>>>>
>>>> Emil
>>>>
>>>> On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> > >> wrote:
>>>>> Leaving SSLv3 on in 2015 for "interop." says a lot about the
>> privacy
>>>> and security goals of a project.
>>>>>
>>>>> Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org
<javascript:;>>:
>>>>>> It would probably be better to remove it. It might indeed entail a
>>>>>> small interop tradeoff but I don't think it would be a big deal.
>>>>>>
>>>>>> Emil
>>>>>>
>>>>>> On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov > >>>> <yasen@bluejimp.com <javascript:;>> > >>>>>> wrote:
>>>>>>> On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie > >>>>>> <jungleboogie0@gmail.com <javascript:;>> > >>>>>>> wrote:
>>>>>>>>
>>>>>>>> Just curious why you decided to leave SSlv3 enabled.
>>>>>>>
>>>>>>>
>>>>>>> interoperability
>>>>>>>
>>>>>>> --
>>>>>>> Yasen Pramatarov
>>>>>>> sysadmin, https://jitsi.org
>>>>>>>

--
--sent from my mobile


#13

Great,

now I did read the parallel thread of Yasen:

This plus switching to OpenJDK8 allowed us to easier fix the
problems we had with weaker ciphers and certificate trust.

I understand your argument now Emil, sorry that looks dumb from my side!

I did only read:

Just curious why you decided to leave SSlv3 enabled.

interoperability

Keep up the good work and sorry again!
That's absolutely my fault, I did not see the announcement 15min earlier.

Axel

···

On 10.03.2015 11:01, Yasen Pramatarov wrote:

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>>>>>> wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>>>>> wrote:

On 10.03.2015 13:19, Axel Hübl wrote:

Hey Thomas,

no hard feelings about that - my statement was meant to provoke so
someone finally change the few lines in the config.

The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)

Since a lot of your users use the service at jit.si, a weakened setup
there weakens the overall security of the software and puts your users
at risk.

First report of mine (in a very encouraging language :slight_smile: ):
  January, 6th
  -> dead end after Jan 9th

Reminder:
  February, 12th
  -> no response

I am sorry for the harsh language - a one-word answer from Yasen after
two reminders on the topic is simply not ideal (and I was responding to
that). But pls try to understand my argument, that putting a little more
effort in easy-to-change configs is actually necessary.

Axel

On 10.03.2015 11:58, Thomas Odorfer wrote:

Hello Axel,

it is great that you show some engagement concerning improvement of security.
However, do you really think that you are providing help to this project by using the online test of xmpp.net and then being reproachful? The tonality you are using is not really encouraging.

Thomas

Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de>:

Were did anyone say it is going to be disabled (finally)?

All I got was: "still on" - "interop" - "oh, probably we should remove it".

Yes, you should. Months ago when I wrote you about it. Also: xmpp.net still shows cert chain issues. Should be fixed, too :slight_smile:

Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

You also wrote 21 minutes ago after I acknowledged we will disable it
... so not sure what the point of that was.

Emil

On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de> wrote:

... I wrote you about that 3 month ago on the list. And reminded you

two times since then. Feel free to check the archives.

Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

If that is true, then hammering on the subject right after we have
stated we will disable it says a lot about a person.

Emil

On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de> >>> wrote:

Leaving SSLv3 on in 2015 for "interop." says a lot about the

privacy

and security goals of a project.

Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov <emcho@jitsi.org>:

It would probably be better to remove it. It might indeed entail a
small interop tradeoff but I don't think it would be a big deal.

Emil

On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov >>>>> <yasen@bluejimp.com> >>>>>>> wrote:

On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie >>>>>>> <jungleboogie0@gmail.com> >>>>>>>> wrote:

Just curious why you decided to leave SSlv3 enabled.

interoperability

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#14

Emil,

what about answering to the community: "we are looking into updating
that but our software currently does not support XYZ. Thanks for reporting."

All I got was
  "It's on our tasklist, thanks for the reminder."

in January and the two other mails ignored, hard to interpret what is
causing the problems if it is not communicated :slight_smile:

Axel

···

On 10.03.2015 13:22, Emil Ivov wrote:

Axel,

We'd be happy to have your patch for the config lines you mention!

Emil

On Tuesday, March 10, 2015, Axel Hübl <axel.huebl@web.de > <mailto:axel.huebl@web.de>> wrote:

    Hey Thomas,

    no hard feelings about that - my statement was meant to provoke so
    someone finally change the few lines in the config.

    The problem I want to highlight is the fact, that the jit.si
    <http://jit.si> community
    puts a lot of awesome and great work into thousands of lines of code a
    year, but changing the three lines in the server config of it's own
    server does not happen in months, even if SSLv3 is incredible broken.
    (Not talking about the idea to switch to TLS1.2 only.)

    Since a lot of your users use the service at jit.si <http://jit.si>,
    a weakened setup
    there weakens the overall security of the software and puts your users
    at risk.

    First report of mine (in a very encouraging language :slight_smile: ):
      January, 6th
      -> dead end after Jan 9th

    Reminder:
      February, 12th
      -> no response

    I am sorry for the harsh language - a one-word answer from Yasen after
    two reminders on the topic is simply not ideal (and I was responding to
    that). But pls try to understand my argument, that putting a little more
    effort in easy-to-change configs is actually necessary.

    Axel

    On 10.03.2015 11:58, Thomas Odorfer wrote:
    > Hello Axel,
    >
    > it is great that you show some engagement concerning improvement
    of security.
    > However, do you really think that you are providing help to this
    project by using the online test of xmpp.net <http://xmpp.net> and
    then being reproachful? The tonality you are using is not really
    encouraging.
    >
    > Thomas
    >
    >
    > Am 10.03.2015 um 11:46 schrieb Axel Hübl <axel.huebl@web.de
    <javascript:;>>:
    >
    > Were did anyone say it is going to be disabled (finally)?
    >
    > All I got was: "still on" - "interop" - "oh, probably we should
    remove it".
    >
    > Yes, you should. Months ago when I wrote you about it. Also:
    xmpp.net <http://xmpp.net> still shows cert chain issues. Should be
    fixed, too :slight_smile:
    >
    > Am 10. März 2015 11:39:01 MEZ, schrieb Emil Ivov <emcho@jitsi.org
    <javascript:;>>:
    >> You also wrote 21 minutes ago after I acknowledged we will disable it
    >> ... so not sure what the point of that was.
    >>
    >> Emil
    >>
    >> On Tue, Mar 10, 2015 at 11:31 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> wrote:
    >>> ... I wrote you about that 3 month ago on the list. And reminded you
    >> two times since then. Feel free to check the archives.
    >>>
    >>> Am 10. März 2015 11:22:31 MEZ, schrieb Emil Ivov
    <emcho@jitsi.org <javascript:;>>:
    >>>> If that is true, then hammering on the subject right after we have
    >>>> stated we will disable it says a lot about a person.
    >>>>
    >>>> Emil
    >>>>
    >>>> On Tue, Mar 10, 2015 at 11:15 AM, Axel Hübl <axel.huebl@web.de > <javascript:;>> > >> wrote:
    >>>>> Leaving SSLv3 on in 2015 for "interop." says a lot about the
    >> privacy
    >>>> and security goals of a project.
    >>>>>
    >>>>> Am 10. März 2015 09:42:09 MEZ, schrieb Emil Ivov
    <emcho@jitsi.org <javascript:;>>:
    >>>>>> It would probably be better to remove it. It might indeed
    entail a
    >>>>>> small interop tradeoff but I don't think it would be a big deal.
    >>>>>>
    >>>>>> Emil
    >>>>>>
    >>>>>> On Tue, Mar 10, 2015 at 9:04 AM, Yasen Pramatarov > >>>> <yasen@bluejimp.com <javascript:;>> > >>>>>> wrote:
    >>>>>>> On Mon, Mar 9, 2015 at 9:12 PM, jungle Boogie > >>>>>> <jungleboogie0@gmail.com <javascript:;>> > >>>>>>> wrote:
    >>>>>>>>
    >>>>>>>> Just curious why you decided to leave SSlv3 enabled.
    >>>>>>>
    >>>>>>>
    >>>>>>> interoperability
    >>>>>>>
    >>>>>>> --
    >>>>>>> Yasen Pramatarov
    >>>>>>> sysadmin, https://jitsi.org
    >>>>>>>

--
--sent from my mobile

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#15

my statement was meant to provoke so
someone finally change the few lines in the config.

The problem I want to highlight is the fact, that the jit.si community
puts a lot of awesome and great work into thousands of lines of code a
year, but changing the three lines in the server config of it's own
server does not happen in months, even if SSLv3 is incredible broken.
(Not talking about the idea to switch to TLS1.2 only.)

Axel, i am a plain Jitsi user. I just wanted to thank you for your
attentiveness and persistence.

We all use Jitsi and not skype/eciga/etc MAINLY because of the security
issue. And if security is not important enough for the devs, ​then it is a
complete failure of the whole project whose main purpose is SECURITY. And
not just usability.


#16

The security very important for the devs.

What happened is that I replied that the only reason I left sslv3 is
interoperability -- which I as a sysadmin care about not less than I care
about security. So Axel, everyone -- if you would like to blame someone,
please feel free blame me for that.

And right after that we decided to ditch sslv3, so there is really no
problem here. And as for the long period this issue has been reported, you
can also take it on the sysadmin for not managing to fix it on time. I mean
it, this took time -- and as I've said before, it's on my tasklist and I'm
sorry for the inconvenience and the delay.

Now SSLv3 should be disabled, I tested with openssl and testssl.sh from
another host and I'm waiting now for the xmpp.net test to be available
again (BTW someone is re-scheduling this test there all the time, pls don't
use this as an "is it online" check for our server) :slight_smile:

···

On Tue, Mar 10, 2015 at 3:07 PM, Александр <afalex169@gmail.com> wrote:

We all use Jitsi and not skype/eciga/etc MAINLY because of the security

issue. And if security is not important enough for the devs, ​then it is a
complete failure of the whole project whose main purpose is SECURITY. And
not just usability.

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#17

the А> devs, ​then it is a complete failure of the whole project whose А> main purpose is SECURITY.

Out of interest, where is it stated on the jitsi.org that the /main/ purpose (i.e. not simply /a/ purpose) of Jitsi is security?

Alexis.

···

On 2015-03-11T00:07:02+1100, Александр <afalex169@gmail.com> said:

> We all use Jitsi and not skype/eciga/etc MAINLY because of the > security issue. And if security is not important enough for


#18

Yansen,

thank you for upgrading the services!

Sorry again for the harsh words - of course they were solely for the
sysadmin >:)

I think xmpp.net is just a bit slow, I just posted it initially because
it's easier to link something than to post the noisy output of openssl.

Axel

···

On 10.03.2015 14:22, Yasen Pramatarov wrote:

On Tue, Mar 10, 2015 at 3:07 PM, Александр <afalex169@gmail.com > <mailto:afalex169@gmail.com>> wrote:

        We all use Jitsi and not skype/eciga/etc MAINLY because of the
        security issue. And if security is not important enough for the
        devs, ​then it is a complete failure of the whole project whose
        main purpose is SECURITY. And not just usability.

The security very important for the devs.

What happened is that I replied that the only reason I left sslv3 is
interoperability -- which I as a sysadmin care about not less than I
care about security. So Axel, everyone -- if you would like to blame
someone, please feel free blame me for that.

And right after that we decided to ditch sslv3, so there is really no
problem here. And as for the long period this issue has been reported,
you can also take it on the sysadmin for not managing to fix it on time.
I mean it, this took time -- and as I've said before, it's on my
tasklist and I'm sorry for the inconvenience and the delay.

Now SSLv3 should be disabled, I tested with openssl and testssl.sh from
another host and I'm waiting now for the xmpp.net <http://xmpp.net> test
to be available again (BTW someone is re-scheduling this test there all
the time, pls don't use this as an "is it online" check for our server) :slight_smile:

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#19

Out of interest, where is it stated on the jitsi.org that the /main/
purpose (i.e. not simply /a/ purpose) of Jitsi is security?

oh come on!
zrtp. otr.Isnt enough for you?
Or should i bring quotations from forums?

This is trolling. And an attempt to change the topic. Instead of focusing
on solving the problem.

And no. I (and most of us) am not a programmer to make a patch for this
security issue. But this does'nt mean that Axel/the community should get
this sort of answers from devs like those he gets in this thread.

Nobody is trying to insult the devs. But there are some things that must be
done. One way or another.

When the man (Axel) is pointing to a clear problem associated with security
of Jitsi, there must be much more serious attitude. Which is expressed in
action. Here we see something very "strange". Therefore, Axel wrote about
the problem with indignation.
​​


#20

Yasen,
Thank you for your broad answer. Things are getting clearer now.

···

_________________

if you would like to blame someone, please feel free blame me for that

No, Yasen. I am not searching to blame anybody. I am searching to keep
Jitsi Safe. Like you do.