[Foundation] Let's propose JEP-0046 (DTCP)

johannes.wagener at gmx.net johannes.wagener at gmx.net
Wed Dec 4 17:45:45 CST 2002


good point. if someone needs a secured connection he should even 
better encrypt the session creation in a gpg thingy... maybe you should 
add this, this is the only way to secure the connection. imagine any 
jabber server admin captures the packet and alters it.

whatever the session creation should still be able in a simple case 
where security is not necessary. This means it should be simply up to 
the user/coder to establish the session in a gpg client2client tackling or 
just unencrypted...

just add an option to send the whole thing gpg encrypted...

On 4 Dec 2002 at 20:52, Jan Niehusmann wrote:

> On Wed, Dec 04, 2002 at 12:43:05PM -0600, Casey Crabb wrote:
> > Currently someone who is able to listen to (but not alter) the jabber
> > server connection can act as the listener for a dtcp connection and
> > successfully establish the dtcp connection.
> 
> But almost anybody who can listen to the jabber stream can alter it, as
> well. 
> 
> If you are on a router handling the traffic, man-in-the-middle is
> trivial. If you happen to be on a network segment where you can read the
> traffic, but not directly change it, you can redirect the traffic
> through your own system by arp spoofing attacks.
> 
> > Some key should be sent over the dtcp connection which has to be echoed
> > on the jabber connection so that you are sure either
> > 1) this is the correct person    or
> > 2) Someone has the capability of altering data in the jabber stream (in
> > which case you can not trust anything).
> 
> A jabber user who is concerned about people hijacking his DTCP connection, 
> should probably start securing his setup by using SSL on the jabber 
> connection.
> 
> And DTCP can do TLS, which already includes the facility to do strong
> authentication. What we are missing (IMHO) is some generic way to tie
> keys (TLS certificates as well as GPG keys) to jabber IDs. 
> 
> Jan
> 
> _______________________________________________
> Members mailing list
> Members at jabber.org
> http://mailman.jabber.org/listinfo/members
> 





More information about the Members mailing list