New "autoimprove_security" option.
problem
Most users don't touch advanced options and because Gajim has to support older servers, the default settings in Gajim are TLS 1.0 support, weaker RC4 (because of Google Talk servers #7) and 3DES ciphers are supported, authentication mechanisms PLAIN, DIGEST-MD5 are enabled.
enhancement recommendation
When the "autoimprove_security" option is enabled, Gajim will detect current security settings of XMPP server during login (supported TLS version (1.2), current cipher (AES) and authentification mechanism (SCRAM-SHA-1)). After a successful login, Gajim will disable older TLS versions (1.0, 1.1), disable weak ciphers (3DES, RC4) and disable weaker authentication mechanisms (PLAIN, DIGEST-MD5) for the connected server.
I think that this is a good behavior because absolutely most cases XMPP server operators don't downgrade to a software with weaker security. So security features of XMPP servers only improves over time.
This option will enable in combination with XMPP server supporting SCRAM-SHA-1-PLUS that users will be protected from active MiTM attacker with valid SSL certificates. This protection work without any changes in setting by user. It's only required that the user will choose a good password.
Next idea is to have a database (or just a plain text table) of security features of known XMPP public servers. (http://xmpp.net) This table will contain:
- The highest supported TLS version
- Information if ciphers stronger than RC4, 3DES are supported.
- The strongest supported authentification mechanism (and supported by Gajim)
When user creates a new account in Gajim with one of the these servers the security settings for this account will be copied from the database.