[Standards] HTTP Authentication with XMPP (Concern over XEP-70)

Richard Dobson richard at dobson-i.net
Fri Dec 21 04:28:52 CST 2007 

>
>> What's going on with XEP-101: HTTP Authentication Using Jabber  
>> Tickets[2]? It's "Deferred", yet it seems to, more or less, do the  
>> same thing in a better fashion.
>>
>>
> Although the HTTP client needs to support a new authentication method, 
> this seems closer to the ideal. But the authentication itself is 
> somewhat weak - it's relying on ticket expiration to try to mitigate 
> replay attacks, and pretty well all of the Security Considerations 
> section looks a little hand-wavy to my (jaded and cynical) eyes.
Well unfortunately thats because I rather gave up as no one really 
seemed interested in it (as well as others being hostile towards it), 
but if you can suggest any improvements they would be very welcome, id 
be perfectly happy to start work on it again if people are interested in 
it and can provide suggestions.

>
> However, the form of the ticket in XEP-0101 is really no better than a 
> plaintext password, so I'm not too keen on that either - if you're 
> going to go to the extent of having a new HTTP authentication method, 
> it seems logical to make it secure.
It is better than a plain text password in that it expires, cannot be 
easily faked (unless someone somehow gets hold of your private key), but 
it could if sniffed on the wire and then be submitted to the server by 
someone else yes, although that could be mitigated to an extent with 
extra security verification in the ticket like IP address etc, or even 
better require that the key is submitted over an SSL/TLS connection. But 
then this is no different really from websites that use cookies for 
their session identifiers once you have logged into them, they can be 
easily sniffed over the wire and then submitted to the server and the 
server will think they are you.

For some background, I created the tickets spec based on what I have 
been doing in a jabber client i've been working on that has web based 
tabs and dialogs in the interface that require you to be authenticated 
to the website with your jabber id to be able to properly interact with 
it, XEP-0070 is just not usable for that sort of automatic logging in 
and because the browser is embedded in the client its also easy to 
implement it without needing to write full blown browser extensions and 
it seems to work very well, its also handy not needing to write jabber 
components into the webserver or the webpages you are writing, all you 
need is to use your languages public key encryption libraries so nothing 
particularly custom needs to be done.

Richard

More information about the Standards mailing list