Unused accounts

Two years and a couple of months ago Prosody’s hashed backend has been activated. Users that have logged in since automatically started using the security improvements it brought (hashed passwords on the server).

Users that haven’t logged in since still have their (old, unhashed) password file on the server and likely don’t use the service anymore. While I usually don’t see a reason to remove accounts at server level (users have the ability to delete their accounts themselves), I see one in this case as it removes the possibility for someone who gained unauthorized access to the server to gain possession of those unprotected password files.

If you haven’t logged in for more than two years and would like to keep your account, simply log in during the next ~30 days. Thank you.

A couple of certificates need to be renewed

I’m working on renewing the certificates. The new ones should be StartSSL™ Verified, which brings a couple of advantages (valid for two years, multiple domains in one cert etc.) and a slight disadvantage (they are not free anymore).

Update: The new certificate is in place. It’s valid for 2 years and has the following fingerprints:
SHA1: A8:22:15:A3:18:3D:AF:07:43:24:9C:9E:83:95:50:AC:15:17:90:53
MD5: D4:2F:D9:5F:70:BC:FD:AA:C4:EB:8F:F5:63:10:BA:3D

Certificate renewal – thiessen.im

A certificate will be replaced this week since it has been expired.

This is a list of fingerprints in order to make sure you know it’s safe to accept the new one:

SHA1 Fingerprint=9F:57:4E:D7:14:74:8B:99:C7:57:5D:DD:DF:79:DE:34:27:FF:61:8A
MD5 Fingerprint=93:B2:7E:AB:C2:6D:05:F0:50:20:89:9C:7B:FD:97:4B

This post will be updated once the new certificate is in place. As always, please let us know if you encounter any kind of problems.

Update: Done

Prosody stores hashed passwords

Recently Prosody gained the ability to store passwords in a hashed form.
With the upcoming upgrade next weekend this feature will be enabled.

It’s an important change as a possible attacker wouldn’t be able to look at users passwords anymore even if he gained access to the server.

This is possible due to a new authentication mechanism called SCRAM. For the best possible security use a client that supports SCRAM (such support is already being added to most of the popular clients). In the meantime Prosody will allow clients to use the standard PLAIN mechanism, and perform the SCRAM calculations on the server side.

The code has been contributed by jefferai, thanks!

Update: Done 🙂

Certificate renewal

A couple of certificates will be replaced today since they have been expired.

This is a list of fingerprints in order to make sure you know it’s safe to accept the new ones:

thiessen.it and im.thiessen.it:
SHA1 Fingerprint=B6:61:1A:41:6E:94:1F:11:C1:CD:53:EE:66:BB:DF:36:B9:1E:BA:01
MD5 Fingerprint=35:D0:93:20:86:89:A5:4D:FE:5F:F6:E8:7F:3F:80:B0

SHA1 Fingerprint=5D:72:1C:D2:15:5A:64:5C:73:9A:68:6A:04:4C:A0:3E:B3:BD:29:D0
MD5 Fingerprint=28:81:BD:CB:0E:68:08:1F:E9:B5:6B:1F:C2:A7:47:CB

SHA1 Fingerprint=0F:C4:17:FE:1D:CB:46:0E:39:A8:BF:69:F3:87:8D:57:4E:B8:42:EC
MD5 Fingerprint=8C:FA:B4:E8:2B:41:02:0C:61:2E:83:47:7B:7F:6A:CB

This post will be updated once the new certificates are in place. As always, please let us know if you encounter any kind of problems.

Update: The new certificates have been applied.

Unexpected downtime Feb. 28th

The host this service is running on hasn’t been reachable since around 4pm today. The hoster has been informed and we hope it will be available again soon. Thanks again for your patience.

Update: The machine is back up. The service wasn’t reachable for around two hours. According to our hoster it was caused by a power outage.