[jdev] Why STARTTLS? [was: IMPORTANT www.jabber.org software listings]
Jefferson.Ogata at noaa.gov
Mon Feb 25 09:13:44 CST 2008
On 2008-02-25 00:16, Peter Saint-Andre wrote:
> Tomasz Sterna wrote:
>> Why do you require services to be listed on the public im services list,
>> to run an SSL-only port for client connections?
> Because we want to do this:
> openssl s_client -connect example.com:5223 -CAfile ca.crt
> AFAIK there is no good way to do something similar for STARTTLS
> connections. If you know of a way, please do let us know.
>> I thought we wanted to encourage use of STARTTLS not the legacy SSL
> We do.
That reminds me: I've been wondering why Jabber folks have been
encouraging STARTTLS? In general, STARTTLS has the flaw of allowing
misconfigured clients (of any protocol) to transmit credentials in the
clear; people who want to ensure clients are not exposing credentials
are safer with an SSL wrapper. Meanwhile, as Peter points out, STARTTLS
makes it harder to test services.
What advantage does STARTTLS provide to offset these annoyances?
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the JDev