Homepage
Projects About Us

Directory: Homepage > Announcements > PSA: Security improvements on the infrastructure

PSA: Security improvements on the infrastructure

Written by: Vormrodo | Published on: February 18th 2026, 12:30 o'clock (Europe/Berlin) | Distribution: Fragmented | Language(s): German, English

EN:
To all interested people and users of the projects,
as the time goes by and technology progresses, new threats and refined attack methods always come up simultaneously. Over the last three decades, cryptographic algorithms for instance had to be adapted with higher key lengths on the internet so as to keep up with the generally increasing strength in computing power and to prevent breaches in encryption. Also, the security from eavesdropping requires newer updates all the time due to more complex attack methods evolving.

As the Vormrodian Projects, we very much pay attention to the security of our services and our users, for which we actively work on reducing attack surfaces widely and to step ahead of new vulnerabilities. Cyber criminals and state actors both pose a threat to our infrastructure and an interception of our data traffic done by either would be equally terrific.
Regarding this, we have now worked on some security practices and improvements in order to keep up with current recommendations and cyber security standards. The following happened:

  • Improvement of the encryption with TLS:
    The key length for our TLS certificates was increased from 2048 to 4096 bits (Algorithm: RSA). RSA keys with a length of 2048 bits count as dated, because they won't be able to keep up with modern computing power in a few years anymore. This increase makes the use of the currently recommended key length 4096 bits, which can remain unbroken for much a longer time, possible. Disclaimer: This improvement does not provide security from quantum computers, for there is no post-quantum-encryption with which TLS certificates can be issued yet. Once this exists, we will adapt it.

  • Monitoring our TLS certificates:
    In order to get ahead of state-run MITM attacks on encrypted connections and notice them in time, we now utilize a monitoring service (see https://certificate.transparency.dev/monitors/), which informs us about every change with our TLS certificates over the Certificate Transparency (CT) standard. Malicious issues of wrong TLS certificates not authorized by us can thus be detected.

  • Conexizan project:
    We have configured some extensions (modules) on our XMPP server, which guarantees the security during login sessions in the verge of revealed weaknesses (see https://monal-im.org/post/00004-sasl/). For example, the server is now protected from downgrade attacks, which are intended to select an insecure TLS version for connections between users and the server.
    Additionally, users can now activate the channel binding function on compatible client software, which makes it possible to detect some MITM attacks and interrupt user logins in exchange so that no type of data can pass to the attacker.
    MITM (Man in the middle) is an attack type, by which the attacker tries to get between two data traffic nodes and intercept the data. Such an attack has happened more than two years ago on the Russian XMPP server Jabber.ru (see https://notes.valdikss.org.ru/jabber.ru-mitm/). It is being speculated that law enforcement authorities were behind the attack.

    • PGP signature of this announcement