[Security] client-to-client security :: Summary and todo's
melo at simplicidade.org
Sat Aug 23 09:15:57 CDT 2008
On Aug 23, 2008, at 2:28 PM, Jonathan Schleifer wrote:
> Am 23.08.2008 um 15:12 schrieb Dirk Meyer:
>> In that case we need a SOCKS5 proxy or a TURN server. I prefer the
>> TURN server but we lack ice-tcp support to use it.
>> I also need the server to help me find a TURN server I can use if I
>> need one.
> Well, I think we shouldn't use Jingle at all for transfering
> encrypted messages. It just adds too much complexity IMO and I
> don't always want a direct connection. Of course, I could use IBB,
> but do we really need Jingle to transfer it in our XMPP stream? The
> answer is clearly no. Plus, server admins might block IBB to save
> traffic, because they don't want for example Jingle Video traffic
> transfered in-band and thus disable Jingle IBB. I'm therefore for
> not using Jingle as a transport layer, but have some transport
> layer for c2c encryption only.
If you don't use Jingle, you'll have to create yet another
negotiation protocol for encrypted/trusted streams. Also, if you push
the negotiation of encrypted/trusted streams to Jingle, you can use
them for other stuff, like secure file-transfer, secure-
Jingle is a negotiation protocol. If you don't want to use a direct
connection, offer only IBB.
As for anti-IBB servers, well, I can only say that whatever in-band
format you end up with, it will look a lot like IBB in the end. At
least from a stanza-size perspective.
Sure, I understand that IBB can be a problem for some servers, but
that is why current servers have shaping mechanisms.
Arguments about video-over-IBB are not valid in my view. Those who
attempted such idiotic use of in-band resources would be stopped by
the shaping rules. IBB is a must have for fallback purposes, for what
I call "experience reliability": common stuff should always work.
One last point: if a client negotiates a high-bandwidth-protocol over
IBB, I would classify that as a major bug of the client. Common sense
alone should trigger big red flashing lights.
XMPP ID: melo at simplicidade.org
More information about the Security