[jdev] Why STARTTLS? [was: IMPORTANT www.jabber.org software listings]
Jefferson.Ogata at noaa.gov
Mon Feb 25 19:24:46 CST 2008
On 2008-02-26 00:55, Dave Cridland wrote:
> I usually hate receiving responses like this one, but they're
> nonetheless true:
> The great StartTLS vs special-socket debate was over something like 10
> years ago - possibly more, actually. Even in protocols which don't offer
> the server id negotiation prior to TLS, as in XMPP, there are other
> benefits, and these are, IIRC, documented in RFC 2595. Reopening this
> debate is going to frustrate you, and annoy other people.
I strongly disagree with that statement, and I could equally state that
the "debate is over" and resolved against STARTTLS; in fact, I've
already presented argument for this. This started with the question "why
STARTTLS?" and so far, the response has been, "Because." If you think
the debate is over, surely you can do better.
RFC 2595 defines STARTTLS for a couple of protocols. It doesn't dispense
with the debate; on the contrary, it is loaded with additional
requirements for server and client behavior just for the purpose of
protecting credentials where STARTTLS is used.
I spend entirely too much time trying to protect credentials in
STARTTLS-based protocols. Anyone in the position of actually trying to
keep clients from sending credentials in the clear fully understands the
dramatic inferiority of STARTTLS. If all code were perfect, maybe this
would be less so. Reality is that a lot of people (perhaps most) write
Encrypt first; ask questions later. People who don't understand this
don't frustrate or annoy me--I just don't think much of them.
> There is an advantage to socket based TLS, however, which is usually
> overlooked - it's fewer round-trips. We'll hopefully address this in due
> course on standards@, though.
If the protocol provided certificate CN prenegotiation there would be at
least *one* argument in favor of using STARTTLS. If, as you say, XMPP
provides no such capability, then it's a no-brainer that STARTTLS is the
WRONG approach. I know you hate receiving responses like these, but they
are nonetheless true.
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the JDev