[jdev] Why STARTTLS? [was: IMPORTANT www.jabber.org software listings]

Jefferson Ogata Jefferson.Ogata at noaa.gov
Mon Feb 25 09:13:44 CST 2008

On 2008-02-25 00:16, Peter Saint-Andre wrote:
> Tomasz Sterna wrote:
>> Why do you require services to be listed on the public im services list,
>> to run an SSL-only port for client connections?
> Because we want to do this:
>    openssl s_client -connect example.com:5223 -CAfile ca.crt
> AFAIK there is no good way to do something similar for STARTTLS
> connections. If you know of a way, please do let us know.
>> I thought we wanted to encourage use of STARTTLS not the legacy SSL
>> wrapper.
> We do.

That reminds me: I've been wondering why Jabber folks have been 
encouraging STARTTLS? In general, STARTTLS has the flaw of allowing 
misconfigured clients (of any protocol) to transmit credentials in the 
clear; people who want to ensure clients are not exposing credentials 
are safer with an SSL wrapper. Meanwhile, as Peter points out, STARTTLS 
makes it harder to test services.

What advantage does STARTTLS provide to offset these annoyances?

Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the JDev mailing list