[jdev] Why STARTTLS? [was: IMPORTANT www.jabber.org software listings]

Tomasz Sterna tomek at xiaoka.com
Mon Feb 25 09:50:48 CST 2008

Dnia 2008-02-25, Pn o godzinie 15:13 +0000, Jefferson Ogata pisze:
> That reminds me: I've been wondering why Jabber folks have been 
> encouraging STARTTLS? In general, STARTTLS has the flaw of allowing 
> misconfigured clients (of any protocol) to transmit credentials in
> the 
> clear; people who want to ensure clients are not exposing credentials 
> are safer with an SSL wrapper. Meanwhile, as Peter points out,
> makes it harder to test services.

If you configure your server to not offer plaintext authentication
methods over an unencrypted channel, there is no way that properly
written client would transmit credentials in the clear.

> What advantage does STARTTLS provide to offset these annoyances?

You know which domain client is connecting, so you may present a correct
certificate with TLS.
In SSL you are encrypting the channel before the stream opening.

  /\_./o__ Tomasz Sterna
 (/^/(_^^' http://www.xiaoka.com/
._.(_.)_   im:smoku at xiaoka.com

More information about the JDev mailing list