XMPP server encryption
XMPP server encryption - is basic encryption. Server encryption is intended so that attackers or spies cannot intercept messages with an open text without e2e. Without reliable server-side encryption, your data can be intercepted via public WI-FI or saved by the ISP. Connection to 404.city is impossible without encryption TLS.
- TLS (RSA or ECC) - Basic encryption protects against hackers and espionage of the governments of most countries. Example:
you <=TLS c2s (medium protected)=> server 404.city <=> TLS s2s (medium protected) <=> server example.com <=TLS c2s (medium protected) => your friend
- StartTLS is also similar to TLS and does not have strong security differences if the certificate is trusted.
ECC vs RSA keys
- RSA (Example: ECDHE-RSA-AES256-GCM-SHA384) is outdated encryption. Uses more server resources and uses less XMPP client resources and weaker encryption. By default RSA is weak, so it is strengthened by the ECC with the algoritm ECDHE
|Equivalent bits keys AES vs RSA vs ECC|
|Simetric (AES)||RSA (ECDHE-RSA)||ECC (ECDHE-ECDSA)|
- ECC (Example:ECDHE-ECDSA-AES256-GCM-SHA384) modern encryption uses less XMPP server resources and uses less XMPP client resources. In 2021, it will be adopted as a standard for all TLS certificates (Even RSA certificates will use CA ECC)
«The small key sizes make ECC very appealing for devices with limited storage or processing power, which are becoming increasingly common in the IoT. In terms of more traditional web server use cases, the smaller key sizes can offer speedier SSL handshakes (which can translate to faster page load times) and stronger security» - ECC vs RSA "GlobalSing"
|Perfomance RSA vs ECC|
Security level RSA and ECC
RSA or ECC security depends on more trust from the CA (Let'Encrypt or other) than on the type of encryption, but ECC certificates are considered more secure against a quantum computer. The larger the bit, the more qubit the quantum computer needs to break the encryption.
Server encryption RSA or ECC is weak protected against shadowing the users from country where the server is located or countries where the CA (Let's encrypt / USA) is located.With all the flaws, server encryption is useful and increases security.
Server encryption is high protected against hackers, interception of Wi-Fi, surveillance from third countries.To protect against espionage from the CA or the country of the server's location, you must use always e2e encryption.
It is worth known that the TLS ECC vs TLS RSA comparison describes only server encrypt using. OpenPGP RSA user certificates in XMPP client for e2e encryption are more secure than server-side RSA or ECC for TLS
your e2e openPGP / ОМЕМО/ OTR (high protected)<=TLS c2s (medium protected)=> server 404.city ECC<=> TLS s2s (medium protected) <=> server example.com <=TLS c2s (medium protected) => your friend e2e openPGP / ОМЕМО/ OTR (high protected)
Dialback (no support 404.city)
Dialback - At the time of the creation of XMPP certificates were paid. Many server owners have refused to pay for certificates. To solve the problem with paid certificates was coined dialback.Certificate verification is based on ip compliance. Encryption is used, but it is not secure. Example:
you <=TLS c2s (medium protected) => server trusted.com <=> Dialback s2s (low protected) <=> server untrusted.com <= self-signet serfiticate + public wi-fi (Danger! Bad protected) => your inexperienced friend
Security level Dialback
Dialback is not able to protect from government surveillance and hacking by hackers and today outdated encryption for public servers. Dialback no support server 404.city. When using e2e encryption dialback connection is safe, but connection dialback does not perform useful tasks for public servers. Dialback (without e2e) creates a false sense of security. To replace DialBack, it is recommended to use valid tls + e2e encryption.
DNSsec encrypts DNS requests to the server. DNSsec is enabled on 404.city.