Daniel Gultsch on Nostr: Two more things to note before we roll out channel binding: · It’s not ...
Two more things to note before we roll out channel binding:
· It’s not unreasonable to assume that future attacks will use stolen certificates. Therefore 'endpoint' is an inferior channel binding method and servers that have other methods available (unique or exporter) should not be offering 'endpoint' at all to avoid down grade attacks.¹
· Channel binding relies on the password staying secret; Make sure you are not reusing passwords across services.
¹: I realize XEP-0440 might imply otherwise
· It’s not unreasonable to assume that future attacks will use stolen certificates. Therefore 'endpoint' is an inferior channel binding method and servers that have other methods available (unique or exporter) should not be offering 'endpoint' at all to avoid down grade attacks.¹
· Channel binding relies on the password staying secret; Make sure you are not reusing passwords across services.
¹: I realize XEP-0440 might imply otherwise