XMPP server encryption
XMPP server encryption - is basic encryption. Server encryption is intended so that attackers or spies cannot intercept messages with an open text without e2e. Without reliable server-side encryption, your data can be intercepted via public WI-FI or saved by the ISP. Connection to 404.city is impossible without encryption TLS.
- TLS (RSA or ECC) - Basic encryption protects against hackers and espionage of the governments of most countries. Example:
you <=TLS c2s (medium protected)=> server 404.city <=> TLS s2s (medium protected) <=> server example.com <=TLS c2s (medium protected) => your friend
- StartTLS is also similar to TLS and does not have strong security differences if the certificate is trusted.
ECC vs RSA keys
- RSA (Example: ECDHE-RSA-AES256-GCM-SHA384) is outdated encryption. Uses more server resources and uses less XMPP client resources and weaker encryption. By default RSA is weak, so it is strengthened by the ECC with the algoritm ECDHE
|Equivalent bits keys AES vs RSA vs ECC|
|Simetric (AES)||RSA (ECDHE-RSA)||ECC (ECDHE-ECDSA)|
- ECC (Example:ECDHE-ECDSA-AES256-GCM-SHA384) modern encryption uses less XMPP server resources and uses less XMPP client resources. In 2021, it will be adopted as a standard for all TLS certificates (Even RSA certificates will use CA ECC)
«The small key sizes make ECC very appealing for devices with limited storage or processing power, which are becoming increasingly common in the IoT. In terms of more traditional web server use cases, the smaller key sizes can offer speedier SSL handshakes (which can translate to faster page load times) and stronger security» - ECC vs RSA "GlobalSing"
|Perfomance RSA vs ECC|
Security level RSA and ECC
RSA or ECC security depends on more trust from the CA (Let'Encrypt or other). Server encryption RSA or ECC is weak protected against shadowing the users from country where the server is located or countries where the CA (Let's encrypt / USA) is located. With all the flaws, server encryption is useful and increases security. Server encryption is high protected against hackers, interception of Wi-Fi, surveillance from third countries.To protect against espionage from the CA or the country of the server's location, you must use always e2e encryption.
Dialback (no support 404.city)
Dialback - At the time of the creation of XMPP certificates were paid. Many server owners have refused to pay for certificates. To solve the problem with paid certificates was coined dialback.Certificate verification is based on ip compliance. Encryption is used, but it is not secure. Example:
you <=TLS c2s (medium protected) => server trusted.com <=> Dialback s2s (low protected) <=> server untrusted.com <= self-signet serfiticate + public wi-fi (Danger! Bad protected) => your inexperienced friend
Dialback no support server 404.city
PGP is not server encryption, but is listed for an example, becase some administrators of XMPP servers confuse self-signed certificates with e2e encryption PGP. Server-based encryption is designed to provide basic protection for inexperienced users. Self-signed certificates give a connection error in browsers and XMPP clients.
|PGP RSA (e2e)||PGP ECC (e2e)||TLS ECC||TLS RSA||Dualback RSA (Self-signet sertificate)||No encryption|
|Defence from hack hackers free Wi-Fi||Yes||Yes||Yes||Yes||Only if both interlocutors are experts||No|
|Defence from malicious proxy, VPN, exit Tor node||Yes||Yes||Yes||Yes||Only if both interlocutors are experts||No
|Protection against mitm backbone providers or local goverements||Yes||Yes||Yes||Yes||Weak||No|
|Long sing||yes||no||do not use to manually sign messages||do not use to manually sign messages||do not use to manually sign messages||-
|Verification Method||Manual||Manual||Automated||Automated||Manual (c2s). Manual verification does not protect against certificate spoofing CA Root. Weak automated verify server interconnection (s2s)||No
|Hacking protection government of the country where the server is located||Yes (XMPP client encryption)||Yes (XMPP client encryption)||Physical access to the server||Physical access to the server||Physical access to the server||No|
|Hacking NSA?||Unknown||Unknown, but the NSA had distributed a backdoor random number generator until 2014.||OS Root CA dependencies||OS Root CA dependencies||OS Root CA dependencies||No encryption
DNSsec encrypts DNS requests to the server. DNSsec is enabled on 404.city.