[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Aug 20 11:17:37 CDT 2008


Peter Saint-Andre <stpeter at stpeter.im> wrote:

> Not necessarily. There's still SOCKS5 Bytestreams through a proxy, or 
> ICE-TCP. Or you could switch to a different server. If a server admin 
> does something that prevents e2e encryption and their users care
> about this feature, the users will complain. And even if IBB is
> blocked we could define yet another even simpler in-band method (even
> "bits of binary" as defined in XEP-0231). But of course server admins
> could block that, too. And nothing stops a server admin from blocking
> ESessions, either!

I should be more specific here: My server only has the bandwith to
transfer small data like text, not BLOBs. Thus I don't want Jingle IBB,
because I never want video or files inband. But I want encryption
inband!
So I'm for having something not using Jingle IBB!
Oh, and it's possible that I only allow connections to the Jabber
server for security reasons, so not even a proxy would work.

> Is "I" the server admin or the client user?

Both.

> In your client you don't disable IBB for everything, you disable it
> for video and file transfer but not e2e streams.

I'm talking about server-side here.

> That's easy for a server admin to block, too.

Yes, but no need to block encryption if you just don't want huge data
transferred via IBB. Encrypted text is not huge. But Jingle IBB is
usually for larger stuff.

> <message
>      from='romeo at montague.net/orchard'
>      to='juliet at capulet.com/balcony'
>      id='msg1'>
>    <body>
>      This message is encrypted. If you see this text,
>      something went wrong
>    </body>
>    <data xmlns='http://jabber.org/protocol/ibb' sid='mySID' seq='0'>
>      qANQR1DBwU4DX7jmYZnncmUQB/9KuKBddzQH+tZ1ZywKK0yHKnq57kWq+RFtQdCJ
>      WpdWpR0uQsuJe7+vh3NWn59/gTc5MDlX8dS9p0ovStmNcyLhxVgmqS8ZKhsblVeu
>      IpQ0JgavABqibJolc3BKrVtVV1igKiX/N7Pi8RtY1K18toaMDhdEfhBRzO/XB0+P
>      AQhYlRjNacGcslkhXqNjK5Va4tuOAPy2n1Q8UUrHbUd0g+xJ9Bm0G0LZXyvCWyKH
>      kuNEHFQiLuCY6Iv0myq6iX6tjuHehZlFSh80b5BVV9tNLwNR5Eqz1klxMhoghJOA
>    </data>
> </message>

This is ok with me.

> There's nothing special about ESessions in this regard.

Yes, the <body> is something we only added in Gajim.

> Non-standardized ESessions?! I thought it was a stable technology!
> 
> ;-)

See the suggestions I posted to standards at . It was the first real world
implementation, so of course there were some minor changes needed.

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/b0d052f7/attachment.pgp 


More information about the Security mailing list