[Standards] Any protocol to request encrypted connections?
Matthias Wimmer
m at tthias.eu
Sun Feb 4 19:28:48 CST 2007
Do we have any XEP, that allows a client to request, that a message is
only allowed to be forwarded by a server using encrypted connections
where the destination of the message has been authenticated?
In general: I think we should start thinking about better identity
verification of the destination of a XMPP link. On s2s connections using
dialback we currently have NO verification, that the destination is the
server we expect it to be. An attacker, that is able to reroute a
connection to his own server (either by modifying the DNS entries of the
destination server or by hijacking the connection at the IP layer) will
get the stanzas, that are addressed to the attacked entity.
With the currently deployed Jabber network, I think we are doing a
better job in verifying that the source of a message cannot be forged,
than verifying that the message is delivered to the right receipient.
Matthias
More information about the Standards
mailing list