← Back to context

Comment by MattJ100

3 years ago

XMPP has some adoption of channel binding (it could be better, but it's heading in the right direction) which mitigates these kinds of attacks in a different way. It is able to do that because the client and server already share a secret (the user's credentials), unlike most HTTP clients/servers (at least as far as the protocol is concerned).

But SCT validation would indeed be something we should investigate for the ecosystem, it could be beneficial for certain use cases.

It may be better for the XMPP ecosystem to focus on increasing adoption of channel binding rather than CT enforcement. I wrote briefly about the challenges faced by non-browser clients at <https://news.ycombinator.com/item?id=36436303> but the tldr is that all SCT-checking clients have to be able to respond to ecosystem changes very quickly. This is so important that Chrome and Safari both disable SCT checking entirely if the browser hasn't been updated in more than 10 weeks.

Feel free to contact me (email in profile) or ask here if you want to talk more about this. I use XMPP (thank you for Prosody!) and have been involved in the CT space for many years now.

  • > but the tldr is that all SCT-checking clients have to be able to respond to ecosystem changes very quickly.

    This is fine. If you're using a tool that's connecting to the internet, you probably need to monitor for updates anyway.

    I'd like to see a separate package, similar to Mozilla's `ca-certificates`, but for CT that can be updated independently of the actual useragent.

    • > This is fine. If you're using a tool that's connecting to the internet, you probably need to monitor for updates anyway.

      People should do this, but in practice it often doesn't happen - as witnessed by the Appmattus library fiasco earlier this year.

      > I'd like to see a separate package, similar to Mozilla's `ca-certificates`, but for CT that can be updated independently of the actual useragent.

      Considering how slowly updates to the various ca-certificates packages propagate, this would be absolute disaster for CT.