Everything is up and running again.
due continuous errors and connection issues, I need to take the server down today.
Sorry for this. I try to keep the downtime as short as possible.
You might recognized it,
IAF.org has some issues lately.
I need to reinstall the host.
So Server will experience a downtime of a sewveral hours this thursday.
6pm to 2am CEST.
You might realized it: Is-a-furry.org has a new set of certificates.
Since I use Letsencrypt certificates are getting changed every 3 month.
If you get a warning about a new certificate you can compare the certificate used on the homepage.
After some years, it finally happened.
But lets start from the beginning:
Last week, on the 21st of june, I got a ticket with a “lost password” topic.
I proved the rightful owner by asking him for 5 contacts out of his list and some details he put in when the account was created.
Sadly there wasn’t an email connected to this account.
I reset the password and wrote the new password to the ticket. – BAD MISTAKE.
I don’t know how, but the guy which requested the password was NOT the rightful owner. The real owner contacted me just a few hours later.
And he COULD authenticate and proove it was his account due earlier tickets he created. He names me the right email address and so on.
I could give him his account back and learned a good thing. But now I am in a twist.
I don’t want your personal information. IAF uses the principle of “as less data as possible, as much data as needed”.
You can use IAF.org completely anonymized, with TOR and so on.
But I need some information to validate your rightful ownership in cases like this.
So heres a semi good Idea:
Add a valid email address to your profile. Use a spamming adress. One you don’t need everyday. One which can float around on the net.
If you need a password reset, or something, I will write to THIS address, attached to your Jabber Account.
If someone tries to steal your account, and can trick me into believing its his account, not yours, you might can’t login. But then you can be sure your new password is in YOUR mailbox and your account is still safe from others.
Nobody is perfect. I have a lot of security, but in the end I’m human. And if someone can answere all security questions, and fool me into reset a password, there is still this last step.
Hope you can understand what I try to say.
- Use different passwords for different services!
- Use a Password generator if you can’t find good passwords!
- Suggestion: Keepass2
Related: How secure is IAF.org
Some of you might recognized, some might not: Is-a-furry.org has a new set of SSL certificates.
And now the Web and the XMPP Server use the same set of certs.
The last years I used a lot of certificate providers. Startcom, Geotrust, RapidSSL, Symantec etc.etc.
Now I try a new provider: Lets Encrypt.
– It’s free (less costs for me)
– It’s scriptable. Means I don’t have to update them by hand and restart all services. – This can be done automatically
– I get a warning if my certs are running out
– Same cert for Webserver and Chatserver
– They are only valid for three month. So there are four changes/year instead of one.
If you get a certificate warning when connecting to is-a-furry.org, be sure you have the right certificate.
03 3e 4b db ec 5f 92 ce 19 32 d9 71 e8 04 d3 22 8e 91
f5 d2 a6 20 41 6b 22 b8 4e f7 6f 22 f9 4e 6f 32 b3 27 61 38
Let’s Encrypt Authority X3
Thanks for your patience
Oh, by the way:
SSL Labs A+ rating 😀
In tha last days I reworked the whole encryption/page security thing.
And I got my A+ rating on SSLLabs.com back :). Unfortunately also many old and outdated browsers and platforms are no longer able to connect to the homepage of is-a-furry.org. You can have a look on the SSLLabs.com rating to see which devices are now not able to connect to iaf.org.
This does not affect the mail or jabber server. They have an own set of encryption algorythms.
Sorry for the recent restarts, but I am still NOT DONE with those spamming cunts.
For all the new people here: In-Band registration is now disabled. This means you can’t register an account via Jabber-Client.
If you want to register an account on is-a-furry.org, you have to do this >>here<< (this was available since months, but I just wanted to point it out again)
So what happend? In the last days I got hundrets and hundrets of spammers and bots which tried to register (in summary) 134.763 accounts on is-a-furry.org, im.it-native.de and jhml.de. They are stupid and didn’t knew that its only possible to create an account every ten minutes from the same IP address, so I could block nearly 90% of their tries without moving a finger. Additional 8% were blocked by my “servers are not allowed to registrate an account” rule. Means if a server on the net (those you can rent from hosting companies) are not allowed to register an XMPP account. (Don’t get me wrong, if you want to use your jabber account on IRSSI or any other CMD-Messenger on linux or windows, feel free to do so, you just couldn’t REGISTER an account.) Anyways. I got sick of it. Then the real spamming started. Russian Jabber messages about “Quality Jabber Spam, 2 Million accounts! Just contact email@example.com. So I took action.
Here are the latest changes:
- In-Band registration is deactivated. Means you have to register an account via Website.
- Strangers can’t text you anymore. Means, if you want to chat with somebody, you have to add him to your contact list first.
- You still can join MUCs (rooms) and chat with everyone, whisper to anyone and get whispers from anyone in the room.
I hope now the spamming stops. We’ll see.
Sorry for the recent restarts, but I had to configure a new feature.
Since the last days I got a lot and lots of spammessages. Like “Contact firstname.lastname@example.org for cheap but high quality Jabber/XMPP Spam”.
I tried to write to the serverowners of these Domains and make them have a look on what’s going on on their servers, but I never received any answere.
That’s why I added a new plugin to the server. It’s a bit more than just a plugin. I upgraded to the newest prosody version (that’s the serversoftware I use for the jabber/xmpp server) and activated the blocklist module – with some extension.
Now you are able to block users on your account. Means if you are bugged by someone you con block it by the server, and don’t have to do this on every single client you use. And I also can block whole domains from connecting to my server (additional to the non-SSL encrypted servers).
AND I will maintain a new list. A list with blocked domains, and the reasons why they are blocked.
stay tuned ~ a.i.
Is-a-furry.org starts the fourth year of service now. And due this, we got a new SSL Certificate.
IF you get any errors, compare the Fingerprints. The official SSL certificate has these Fingerprints:
The certificates are verified by Geotrust
StartCom Ltd. and valid ’til May 2016.
This certificate is valid on the XMPP Server, and the homepage.