Two years and a couple of months ago Prosody’s hashed backend has been activated. Users that have logged in since automatically started using the security improvements it brought (hashed passwords on the server).
Users that haven’t logged in since still have their (old, unhashed) password file on the server and likely don’t use the service anymore. While I usually don’t see a reason to remove accounts at server level (users have the ability to delete their accounts themselves), I see one in this case as it removes the possibility for someone who gained unauthorized access to the server to gain possession of those unprotected password files.
If you haven’t logged in for more than two years and would like to keep your account, simply log in during the next ~30 days. Thank you.
I’m working on renewing the certificates. The new ones should be StartSSL™ Verified, which brings a couple of advantages (valid for two years, multiple domains in one cert etc.) and a slight disadvantage (they are not free anymore).
Update: The new certificate is in place. It’s valid for 2 years and has the following fingerprints:
Identi.ca are now reachable via our transports.
Update: Removed Identica, they have an inbuilt xmpp service.
Just a note to let you know the server has been restarted today because we hit a connection limit. Should be fine for the forseeable future now.
Our server is being moved to another datacenter between 22:45 and 08:00 o’clock (CEST).
The answer to IRC’s Eggdrop? Well, not quite, but much like Prosody in the beginning, it’s a solid ground to build on.
It uses Verse, an XMPP client library for Lua. This post will show (mainly for later re-reading) how to setup Riddim.
A certificate will be replaced this week since it has been expired.
This is a list of fingerprints in order to make sure you know it’s safe to accept the new one:
This post will be updated once the new certificate is in place. As always, please let us know if you encounter any kind of problems.
Recently Prosody gained the ability to store passwords in a hashed form.
With the upcoming upgrade next weekend this feature will be enabled.
It’s an important change as a possible attacker wouldn’t be able to look at users passwords anymore even if he gained access to the server.
This is possible due to a new authentication mechanism called SCRAM. For the best possible security use a client that supports SCRAM (such support is already being added to most of the popular clients). In the meantime Prosody will allow clients to use the standard PLAIN mechanism, and perform the SCRAM calculations on the server side.
The code has been contributed by jefferai, thanks!
A couple of certificates will be replaced today since they have been expired.
This is a list of fingerprints in order to make sure you know it’s safe to accept the new ones:
thiessen.it and im.thiessen.it:
This post will be updated once the new certificates are in place. As always, please let us know if you encounter any kind of problems.
Update: The new certificates have been applied.
The host this service is running on hasn’t been reachable since around 4pm today. The hoster has been informed and we hope it will be available again soon. Thanks again for your patience.
Update: The machine is back up. The service wasn’t reachable for around two hours. According to our hoster it was caused by a power outage.